How risky is AV testing on a VPC?

I was thinking of creating a virtual PC, saving an image of its prestine setup, and then infecting the crap out of it with viruses, in order to test various security products. What are the odds of this infecting my actual PC?

Also, if the odds are minimal, does anyone (and I know, this is a shot in the dark here) know where I can download viruses and spyware, where I know exactly what WHICH viruses, and WHICH pieces of spyware I'm getting? An ideal testing situation would be to know exactly what the VPC is infected with, so that I can figure out exactly what the software missed, and what it found that doesn't really exist.


Thanks in advance.

 

I did this on an old test machine (not VPC). I got all my malware by searching a few torrent sites for malware people had uploaded.

 

Well nothing is bulletproof as far as i know so it pays to be prepared for the worst. Make sure anything important is safely backed up.
You could try virtualising your base system while working inside your VM.

 

Naturally. I've got my data on seperate hard drives from my OS and programs. It's backed up daily to external hard drives which are turned off when not backing up. I am running Zone Alarm Antivirus with Spyware Doctor for active protection, as well as Threatfire. On the off chance anything DOES get past my security, I remove these things for a living (as in, I actually remove them, instead of automatically reformatting or hooking the thing up t a remote terminal to have someone in India do it :::glares at Geek Squad:.

Still, I prefer to riks as little as possible, and I've never attempted or even theorized about this. Has anyone personally heard about a machine being infected through a VM?

 

My experience is that you can never be sure about the type of malware you downloaded. When you do a VxID (Virus Identification) mostly the results are different from the given information attached with the malware.
There are a lot of reasons why this can happen: instead of the Vx it is nothing more then an infected file, or the malware is corrupted or damaged, or it was identified in a VM (which give often different results then when you identify it in a real computer), or an AV did change the file after malware-detection, etc.

I do my analyses in a real computer (non-VM!) with a few AV-scanners (not real-time, only on-demand scannners), and I do the VxID in a restricted account. After downloading, unzipping and decoding, I scan it with several AV's, I get a checksum (MD5, SHA, CRC, etc) and only then I'm (quite) sure about what I was downloading.
After that I continue with the decompile, behaviour-analysis, taking snapshots, etc.
So: never trust the information what is attached with the malware. Only trust your own results.

To find sites for downloading malware you simply use your favorite search-engine(s).