Is internet safe now? Or do I misunderstand Vmware?

Discussion in 'sandboxing & virtualization' started by sukarof, Oct 28, 2006.

Thread Status:
Not open for further replies.
  1. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    I am doing a layman honeypot in VMWare.

    I have set up a Windows XP original in Vmware (ie no servicepacks or hotfixes at all)
    I am connected to internet without a firewall or other anti malware apps. Vmware has its own IP number.
    I have no router, just fiber LAN to the net.
    A check at GRC.com shows ports from 0 to 1024 are closed. excepts 135-139 and 445 are stealthed. 1025 and 5000 are open.
    I have been online with it for three hours without anything happening.

    I have read somewhere that you only have to be online for 15-30 minutes before you get infected with something.
    Is that just a myth or is it VMware that somehow prevents the worms´n´stuff? Or maybe I am just impatient?

    The only things I use to check if any activity is going on is Port explorer and Process explorer. Perhaps those are not enough?
     
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,

    If you connect via NAT through your original machine, you will see no effect. GRC will scan your gateway. Just like with any LAN machine.

    You say it has its own IP. Interesting. How did you achieve that? Your ISP lets you have multiple IPs? Do elaborate on that one.

    But then, don't believe everything they tell ya (about malware).

    VMware offers a solid testing environment, but it can be possibly breached.
    If you want a really safe testing grounds, you should use VMware in Linux. And then in it, install Windows. Or do a recursive install until you run out of memory.
    Seriously though, your test has no real impact. It's effectively isolated from the net.
    If you want to see how "safe" it is, browse the Internet with, try FF, try IE, compare the results = infections, and so forth. Just be careful that you keep malware from propagating to your own host.
    You can also try Truman in Linux, which runs on native hardware.
    And as I said, VMware in Linux running Windows guest.
    Mrk
     
  3. solarpowered candle

    solarpowered candle Registered Member

    Joined:
    Jan 9, 2003
    Posts:
    1,181
    Location:
    new zealand
    yea i have heard those freaky comments . even 3 minutes some where. i have surfed with no firewall or security apps apart from adblock for a few hours and never been infected. however i i didnt go to the otherside, so to speak. my ports were closed .
     
  4. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,

    Maybe I wasn't clear in the first post. Check your host name when scanned in GRC. Compare with your real machine. Are they the same?

    Mrk
     
  5. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    Thanks for your reply.
    Now I probably will shows my ignorance, but what the heck :)

    Grc said it was scanning the IP number that I got from my ISP.
    I got one IP for my host machine(windows XP pro fully patched) and one IP for the guest machine, I mean two real IP adresses assigned from my ISP.
    Maybe I will try VMware from Linux some day, but for now I just wanted a unsecure connection to the net, but I recon, after reading your post, I cant get that :(
    But I will try to find some bad sites with my unpatched IE.

    cheers
     
  6. TECHWG

    TECHWG Guest

    ISP's block the ports that a hacker or program can easily infiltrate your system and hose you down real good
     
  7. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    There's two things:

    1. If port 445 is closed (or "stealthed") then most worms will not be able to get to the box

    2. Many of them now specifically detect VMWare now and will not infect it, mainly because VMWare is frequently used by malware analysts. It's harder for them to analyze the malware if it won't run.

    Once you figure out the ports issue, you might look at something like http://nepenthes.mwcollect.org/, if you're just wanting to get malware.
     
  8. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    Last edited: Nov 28, 2006
Loading...
Thread Status:
Not open for further replies.