what if i want to test a game which is apparently infected (malware/virus) ?

Community Forums/General Help/what if i want to test a game which is apparently infected (malware/virus) ?

RemiD(Posted 2017) [#1]
Hello,

What if i want to test a game which is apparently infected (by a malware/virus) ?

The obvious safe approach is to run it on a computer which is dedicated to test infected/potentiallydangerous programs, and not connected to the internet...

Any other idea ?

Here is the (Blitz3d) game in question :
https://archive.org/details/Driller
https://www.youtube.com/watch?v=kyWbgW21lWo

I am just curious to test it, seems rather good.
Thanks,


Derron(Posted 2017) [#2]
You might open it in IDA Pro (or the disassembler of your choice) and stub the problematic functions.

There even was a time with anti virus tools being able to just kill the virus out of the file (instead of deleting the whole one).


But yeah: setup a VM and disconnect it from the internet. Think the malware is not that advanced to break out of the VM.


bye
Ron


Dan(Posted 2017) [#3]
Run it under vmware and see how it behaves.

Avira does not report any virus here. And the game works under vmware XP.


RemiD(Posted 2017) [#4]
no idea what vmware is...

Another idea, not suggested here : use a live boot cd with windows xp, (all is stored in ram and cleared when the computer is shut off, maybe it will run since it is an old program which does not require others things installed (maybe directx ?))


xlsior(Posted 2017) [#5]
no idea what vmware is...


It's a virtual machine, like Microsoft Hyper-V / VirtualPC / VirtualBox. It's essentially a sandbox container running a second copy of the OS, which can be 100% self-contained, and if you create snapshots you can completely roll back to that point in time, undoing whatever damage malicious software did inside the sandbox.

The downside is that most of the hardware is virtualized as well, meaning you have limited 3D acceleration and most modern games don't perform very well that way.

(It's also a great way to try out new/free software. Need an app that does -x-? Download two dozen of them, try them all out inside a virtual machine, and when you figure out which one you like, roll back the virtual machine to remove all trace of all of them and install the one you want in your real OS environment. Makes windows run nice and smooth for much longer than when you continuously install and uninstall all kinds of random crap. Of course, you will need an additional windows license to run the virtual environment)


Henri(Posted 2017) [#6]
There are also sandboxing software like https://www.sandboxie.com/index.php?DownloadSandboxie. Sandboxie is not free, but there might be a trial period.

List of other sandboxing software's at http://listoffreeware.com/list-of-best-free-sandbox-software-for-windows/

-Henri


coffeedotbean(Posted 2017) [#7]
Take it round ya mums.


Wiebo(Posted 2017) [#8]
Don't do it.


Steve Elliott(Posted 2017) [#9]
Curiosity killed the cat?


Dan(Posted 2017) [#10]
im registered user of sandboxie and this game crashes under it.

vmware player






Imperium(Posted 2017) [#11]
Couldn't you run it in Sandboxie and for good measure use something like Tinywall and set your firewall to BLOCK ALL?

Also sandboxie is free. The paid version removes the nag screen which adds a 5 second delay when sandboxing once the trial expires.


dna(Posted 2017) [#12]
There's also software called AVAST. It's free.
AVAST will scan the game for malware and other forms of viruses and ask you to quarantine the game.
But if you want to save the game, not quarantining it, then use a disassembler as described above.


Imperium(Posted 2017) [#13]
Omg... That's the Domark game that came with Virtual Reality Studio 1.0! Looks like a awesome remake... I really loved those Freescape games. I actually have two boxed copies of VRS 2.0 sealed in the boxes.

What makes you suspect this game is infected with malware? Could be a false positive.


RemiD(Posted 2017) [#14]
malware bytes reports that there is a trojan in the executable...


TomToad(Posted 2017) [#15]
Driller.exe is encrypted with Molebox. From what I can read, if you use the default key when using Molebox, many virus scanners will flag the exe as a virus. It seems many virus developers will hide their code with an encrypted container such as molebox, so companies like Avast and Malware Bytes will always flag them as malware. Unfortunately, the only way to tell if it is a virus or a false positive is to run it and see what happens.


RemiD(Posted 2017) [#16]
it is also reported as a trojan by others anti malwares :
https://virustotal.com/en/file/cccc3549cc51ec159aa46ac1d1cbac10588cbe35870fddbf677966155f6ed918/analysis/1485290544/


Imperium(Posted 2017) [#17]
This might sound odd but.... Do you think possibly its being flagged because of the name? Driller.exe does sound like some sort of hacking tool tool that would flood network traffic or mine your system.

This page finds it generally okay except for warnings from a few reviewers.
https://safeweb.norton.com/report/show?url=https%3A%2F%2Farchive.org%2Fdetails%2FDriller

Google doesn't like it one bit!
https://www.google.com/transparencyreport/safebrowsing/diagnostic/index.html#url=archive.org

This page says google like its! hah!
http://onlinelinkscan.com/results/httpsarchive-orgdetailsdriller/


Dan(Posted 2017) [#18]
If the Game is written in Blitzbasic language, then you may surely wonder, where all the assets are gone, where are the models, the textures, the sounds/music, which are usually needed for a higher quality games, stored?

This game is a single exe with arround 22mb of data, so it is evident, that all the assets are within this file.

You can read about Molebox here

If it is possibile to hide a trojaner/virus inside of this, which will cause troubles, i do not know. But if the AntiVirus companies cannot scan the contents of it, then there is a high chance that they will flag it as Potentially Unsafe.


RemiD(Posted 2017) [#19]
The thing is that another game by the same developer is considered as safe by my antivirus/antimalware...
see : https://archive.org/details/Cholo_201506
And, since these are old games, it is well possible that these files have not been uploaded by the developer himself but by another person...
(Driller was apparently published in 2007 but only uploaded on archive.org in 2015...)
(maybe a smart way to spread trojans since some old games are not available anymore anywhere else on the web...)


Dan(Posted 2017) [#20]
Well, the archive.org has a original site copy and the older versions:

http://web.archive.org/web/20150304201850/http://driller.ovine.net/

Somewhere in august 2008 you can access the v1.1 version. the v1.3 version is the same as that from the 1st post.


RemiD(Posted 2017) [#21]
@Dan>>good find, thanks !

So, i tried the executable on an old laptop with windows XP (not connected to the internet) and it ran well the first time, i managed to play a little, then i got a MAV :P
But the ambiance is well done imo


Blitzplotter(Posted 2017) [#22]
VMWare Player used to be a good option for sandboxing.