Unsure if what you've got your hands on is a piece of malware?
Afraid someone might be trying to rshell you?

If you've gotten ahold of a piece of software you're not entirely sure you trust, hey, maybe just delete it?

If deleting it is out of the question, then the first rule is this:
Don't run software you don't trust on your own servers/PC.

When running software you don't know, why potentially expose your own network to it?
Make an NPC bear the brunt of the risk, while you look out for anything suspicious.

I'll pretend like I've just received a piece of software from someone, then run you through the basics of how to safely poke it, to see what it'll do.

Oh wow, look at that! My acquaintance for whom I hold some fond regard, but probably not absolute trust, sent me this piece of nifty software! What could it be?


Wow, that doesn't look suspicious at all. But I better test it anyway, since that's just good practice.
To do that, I'll just hack a random NPC system.


Fantastic. Next step!

Now that we have access and root, we're gonna need to transfer over a few things.

• The program we're checking - obviously.
  
• Sniffer - accessible from the HackShop.
  
  
• htop - optional, accessible from the guys who made Viper.

You can get htop by adding their repository with apt-get addrepo 105.96.145.49, then apt-get update, then apt-get install htop


htop is basically an improved real-time ps command.


You can do almost the same job with just continuous use of the ps command, but htop is my preferred method.
I'll be showcasing both instances.



Alright, we have all that we'll need!

The files are gathered, time to set up the programs.

First, run the sniffer.


We then run htop. Or if you're not using htop, run a preliminary ps command instead.



We're now ready and situated. Let's get an overview.

Alright. Everything is ready and we have a good overview.
It's time for us to launch the software and take careful notes.



That's strange. Sniffer isn't picking anything up. No process is running called something suspicious like rshell... but what's that?

A new FileExplorer process is suddenly running. What's more, this supposed FileExplorer process is currently using 0.0% memory.


This is obviously a case of one process trying to masquerade as another one, for some nefarious purpose.

Kill the process and delete that software from any of your machines.

That's why you have to be wary of the details, as renaming processes is just one of many obfuscation methods people can use, to hide their malware. You have to take note of any unexpected discrepancies.

Another thing to look out for is programs starting more than 1 process when you launch them, as a program may try to distract you by launching a legitimate process at the same time as their malicious one.

Again, careful monitoring of htop or the ps command is crucial for catching these.

In this instance, we were dealing with a very basic rshell command, and as such, the sniffer didn't catch anything.

It's important to remember, that just because a program clears one of your tests, does not mean that it isn't malicious.

All it means is that it cleared the one specific thing you were testing for.

The best piece of advice remains: don't run any software you don't trust.
But when you do it anyway, do it carefully and away from home.

Sniffer software can be a great tool for picking up on unexpected traffic at a given location.

Let's say the program in question transferred the IP and ssh details of the place in which it was executed, our sniffer would then be able to pick up on any unexpected traffic to and from that location.

Let's quickly showcase how that might look, so you have an example of what to look out for.


Scary stuff. Keeping this in mind, it might be in your best interest, to keep a close eye on the system you used to run your suspected malware.

Attacks or infiltration may not occur immediately, and any potential aggressor might just quietly squirrel away any information the program has provided them for a later more opportune time.

Xclusive - Me. For writing it, obviously.
Volk - Making the Viper tool shown in the guide.
GrumpyBunny - Ideas guy and general advice.

For a guide showing you the basics of starting out in multiplayer, check here [justpaste.it]or here.
For a guide showing you the basics of the Viper tool, check here [justpaste.it]or here.
For a guide showing you the basics of securing yourself and your network, check here [justpaste.it]or here.

For further assistance, stop by our Discord[discord.gg]
Feel free to direct any further questions to us in the general chat.
GrumpyBunny is online and willing to field questions more often than not.