Creating a VM for malware testing

Discussion in 'sandboxing & virtualization' started by ncage1974, Dec 6, 2009.

Thread Status:
Not open for further replies.
  1. ncage1974

    ncage1974 Registered Member

    Joined:
    Dec 6, 2009
    Posts:
    45
    I decided to create a vm for malware testing (vmware workstation 6.5). I used Windows XP 32 as the guest). This is xp with no service packs / updates / security software /ect.. applied. I have DMZ'd this machine. I'm using bridged network adapter rather than NAT so the guest is not protected from the host software firewall.

    One interesting side note is that ive heard that if you connect an xp machine to the internet with no protection then it will be owned within 20 minutes? Well mine has been up for 48 hours, and as of yet, no malware infestation. I actually expected it to be infected by now but its going on its marry way without a hitch. Actually a little disappointed by this.

    Ok my real question here is i want to protect my other machines on the network (and host) from this machine since i will be infecting it on purpose with malware. I does have to have network connectivity though (internet). Of course i'm logging into with an account to this machine that no other machine has. Here is some solutions i've devised but are to much of a bother now:

    1) Create VLan (i'm pretty sure tomato firmware doesn't have vlan support and i don't want to go with DD-WRT). Also not really exciting about buying hardware just for this little experiment i'm doing

    2) Create a domain --To much of a hastle

    3) Put another router inbetween this machine and the rest of the network. Again i would have to buy hardware and i do want to the host machine to have access other machine (well unless i had two NIC Cards i guess and only used on for VMWare).

    Yes i know that the malware machine would still need a username / password to get into another machine on my network but there is nothing stopping it from trying a dictionary attack.

    Any help would be appreciated.

    thanks,
    ncage
     
  2. Fajo

    Fajo Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    1,812
    It all depends how good your ISP is on filtering for that question if your with a really crappy ISP AKA "Out of the USA". Then you might have a chance at this, but most ISP's here at least in the states watch for these kinds of things and block them by default.

    And no I'm not saying the Internet is crap outside the US. Just stating its easier to find a ISP slacking off outside the US.
     
  3. ncage1974

    ncage1974 Registered Member

    Joined:
    Dec 6, 2009
    Posts:
    45
    Actually have comcast. I haven't heard of them blocking anything but who knows.
     
  4. Fajo

    Fajo Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    1,812
    As much as I hate Comcast they are one of the better ones when it comes to monitoring there own network. Its not so much they block your traffic just trash floating around. I have left a Windows 98 Computer plugged into a non Nat Modem before for 3 weeks strait just rebooting when it got sluggish. It never got infected with anything just sat that and wasted power.
     
  5. wat0114

    wat0114 Guest

    Is your host machine sitting behind a NAT router or similar device? If it is this might explain the non-infection of the guest.

    As for your second question, I had an XP vm (using VirtualBox) guest running on a Vista limited host account but I kept the vm at NAT and just created a rule in Vista's 2-way fw to allow all outbound to certain ports, even 80, for the vm. I used a fw (built-in fw in Malware Defender) for the guest.

    I ran over 20 malware samples (so I'm no expert at all) in the vm this way with nothing escaping it to infect the host. Remember that if you can run the host as a limited account, you significantly reduce the risk of it incurring anything from the vm guest even if for some reason the malware leaks out which never happened to me. You should ensure you have your host machine imaged, however, just in case something goes wrong. Be aware also there are some vm-aware malware out there. The few I encountered simply refused to run.
     
  6. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    those nasty keyloggers dont care if you have a virtual machine and yes after rebooting and restoring the virtual machine to a previous state will get rid of the or any keylogger but the privacy is always at risk:)
     
  7. ncage1974

    ncage1974 Registered Member

    Joined:
    Dec 6, 2009
    Posts:
    45
    Ya i won't have the VM running when i'm doing anything that could be compromised. I also use keyscrambler. I also don't think the vm captures your keystrokes unless your input is over the VM. What i'm worried most about is it trying a Dictionary attack on one of my machines.
     
  8. ncage1974

    ncage1974 Registered Member

    Joined:
    Dec 6, 2009
    Posts:
    45
    It is siting behind windows firewall. It shouldn't be blocking anything from the guest though if your using bridge rather than NAT networking. I am runing the host under admin account but i'm using UAC so i should be similar to running under limited privileged account. To bad i don't have a high end cisco router so i would have VLAN capabilities but most of us don't spend that kind of money on a router :).
     
  9. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Luckily you are speaking for US and not for us (EU).
     
    Last edited: Dec 7, 2009
Thread Status:
Not open for further replies.