Serious Discussion How to set up a safe environment for Malware Testing

Xeno1234

Xeno1234

Level 14
Thread author
Jun 12, 2023
699
Hello. I’ve been doing a small amount of Malware Analysis recently and I want to make a safe malware environment for running malware.

The main thing I am concerned about is getting infected, I need to make sure that nothing can escape the VM and infect my host, or spread through the network.

I would also like a good environment for ofc, malware analysis and hiding parts of the sandbox.

If you have any suggestions, let me know.
 
  • Like
  • Applause
Reactions: Dave Russo, cruelsister, Adrian Ścibor and 2 others
F

ForgottenSeer 103564

Xeno1234 said:
Hello. I’ve been doing a small amount of Malware Analysis recently and I want to make a safe malware environment for running malware.

The main thing I am concerned about is getting infected, I need to make sure that nothing can escape the VM and infect my host, or spread through the network.

I would also like a good environment for ofc, malware analysis and hiding parts of the sandbox.

If you have any suggestions, let me know.
Click to expand...
First, get off your parents network to do so as there are no guarantees, malware is no joke, and definitely not a game. Second the best way is to have an isolated network, be on a linux machine with a VM with Windows in that. You should actually to be responsible disconnect from the internet when testing keeping your system isolated, but than you have the issue of a lot of malware need to connect to C&C servers or are VM aware. Can you guarantee you wont infect the router or worse? The basics are here for a containment lab but as stated variables will be an issue.
 
  • +Reputation
  • Like
  • Hundred Points
Reactions: Dave Russo, roger_m, silversurfer and 4 others
Xeno1234

Xeno1234

Level 14
Thread author
Jun 12, 2023
699
Ultimate Vision said:
First, get off your parents network to do so as there are no guarantees, malware is no joke, and definitely not a game. Second the best way is to have an isolated network, be on a linux machine with a VM with Windows in that. You should actually to be responsible disconnect from the internet when testing keeping your system isolated, but than you have the issue of a lot of malware need to connect to C&C servers or are VM aware. Can you guarantee you wont infect the router or worse? The basics are here for a containment lab but as stated variables will be issues.
Click to expand...
Is there any way to check the Network for infections currently as I have ran malware in a VM before.
 
  • Like
Reactions: Dave Russo
Adrian Ścibor

Adrian Ścibor

From AVLab.pl
Verified
Well-known
Apr 9, 2018
182
Hi!

You can read a little beat on our Polish blog, please use some translator:

1. How to analyse malware sample and how to test your antivirus?
avlab.pl

Jak analizować malware i przetestować antywirusa w domowym labie?

Poradnik analizy malware oraz przeprowadzania testów antywirusów w domowym laboratorium. Przydatne narzędzia i programy do analizy wirusów.
avlab.pl avlab.pl

2. The source of malware:
avlab.pl

Strony z malware dla badaczy i entuzjastów bezpieczeństwa » AVLab.pl

Strony ze złośliwym oprogramowaniem (malware) na potrzeby analizy i testów bezpieczeństwa w maszynie wirtualnej.
avlab.pl avlab.pl

3. There is a community project like FLARE VM: GitHub - mandiant/flare-vm: A collection of software installations scripts for Windows systems that allows you to easily setup and maintain a reverse engineering environment on a VM.
I do not know whether the project is still supported.

Some nice tutorial for VirtualBox: Creating a VM for Malware Analysis in VirtualBox - Olivia A. Gallucci
 
  • Like
  • +Reputation
Reactions: Dave Russo, Zartarra, roger_m and 2 others
silversurfer

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,178
Xeno1234 said:
I use Kaspersky, does it scan the the network?
Click to expand...
Confirmed. I have Kaspersky Free on my host when testing malware samples in my VM (VMware Pro). Kaspersky does scan your network and specific firewall ports:

kn.png

Network Attack Blocker settings

support.kaspersky.com support.kaspersky.com
Treat port scanning and network flooding as attacksNetwork Flooding is an attack on organization's network resources (for example, web servers). This attack consists in sending a massive amount of traffic to exhaust the traffic capacity of a network. As a result, users can't access organization's network resources.

Port scanning attack consists in scanning UDP- and TCP ports, as well as network services on the computer. This attack allows to determine computer’s vulnerability level before even more dangerous types of network attacks. Port scanning also allows hackers to determine computer's OS and choose OS-specific attacks for it.

If the toggle is on, the Network Attack Blocker component blocks port scanning and network flooding.
 
  • +Reputation
  • Like
Reactions: Dave Russo, Zartarra, vtqhtr413 and 4 others
F

ForgottenSeer 103564

Adrian Ścibor said:
Hi!

You can read a little beat on our Polish blog, please use some translator:

1. How to analyse malware sample and how to test your antivirus?
avlab.pl

Jak analizować malware i przetestować antywirusa w domowym labie?

Poradnik analizy malware oraz przeprowadzania testów antywirusów w domowym laboratorium. Przydatne narzędzia i programy do analizy wirusów.
avlab.pl avlab.pl

2. The source of malware:
avlab.pl

Strony z malware dla badaczy i entuzjastów bezpieczeństwa » AVLab.pl

Strony ze złośliwym oprogramowaniem (malware) na potrzeby analizy i testów bezpieczeństwa w maszynie wirtualnej.
avlab.pl avlab.pl

3. There is a community project like FLARE VM: GitHub - mandiant/flare-vm: A collection of software installations scripts for Windows systems that allows you to easily setup and maintain a reverse engineering environment on a VM.
I do not know whether the project is still supported.

Some nice tutorial for VirtualBox: Creating a VM for Malware Analysis in VirtualBox - Olivia A. Gallucci
Click to expand...
Do you realize that's a 15 year old kid on his parents network you just gave a list of malware and phishing sites too? Just curious.
 
  • Like
  • +Reputation
Reactions: Dave Russo and harlan4096
Adrian Ścibor

Adrian Ścibor

From AVLab.pl
Verified
Well-known
Apr 9, 2018
182
Ultimate Vision said:
Do you realize that's a 15 year old kid on his parents network you just gave a list of malware and phishing sites too? Just curious.
Click to expand...

He does not say how old he is. Learning cannot be banned on the basis of age.

The websites are freely available on the internet, anyone can get access from Google or another blogs, forums - from a kid of 4 age to an old man of 104. The best learning is practice.
 
  • Like
Reactions: Dave Russo, roger_m, ErzCrz and 2 others
F

ForgottenSeer 103564

@Xeno1234 Make sure you leave your forwarding address and an invite on a C&C server with your favorite hacker, maybe they will drop a surprise or even pop in your network for a visit, im sure you parents wont mind.

This is no joke to everyone else, you all should be ashamed for encouraging this.
 
F

ForgottenSeer 103564

Adrian Ścibor said:
He does not say how old he is. Learning cannot be banned on the basis of age.

The websites are freely available on the internet, anyone can get access from Google or another blogs, forums - from a kid of 4 age to an old man of 104. The best learning is practice.
Click to expand...
Hand that 4 year old your car keys than. It's same concept. Dangerous..
 
Xeno1234

Xeno1234

Level 14
Thread author
Jun 12, 2023
699
Ultimate Vision said:
@Xeno1234 Make sure you leave your forwarding address and an invite on a C&C server with your favorite hacker, maybe they will drop a surprise or even pop in your network for a visit, im sure you parents wont mind.

This is no joke to everyone else, you all should be ashamed for encouraging this.
Click to expand...
I’ve learned the risks associated with malware testing from this forum. Right now, I’m not going to be doing any more testing, even just obtaining samples and putting them in online sandboxes.

You’ve made a good point about it being risky and I trust you. I don’t think I am currently infected, and I don’t plan on getting infected or even dealing with malware in the near future.

If I do, I will utilize a default deny setup to prevent the malware from running in the event I accidentally click it.

I appreciate your concern for me though. I know that Malware is dangerous and so far, I haven’t had any issues. I will make a post in Malware Removal to check my network and system for any defects later today to ensure. After that, I’m done.
 
  • Like
Reactions: Dave Russo, roger_m and ForgottenSeer
F

ForgottenSeer 103564

Xeno1234 said:
I’ve learned the risks associated with malware testing from this forum. Right now, I’m not going to be doing any more testing, even just obtaining samples and putting them in online sandboxes.

You’ve made a good point about it being risky and I trust you. I don’t think I am currently infected, and I don’t plan on getting infected or even dealing with malware in the near future.

If I do, I will utilize a default deny setup to prevent the malware from running in the event I accidentally click it.

I appreciate your concern for me though. I know that Malware is dangerous and so far, I haven’t had any issues. I will make a post in Malware Removal to check my network and system for any defects later today to ensure. After that, I’m done.
Click to expand...
I'm glad you have not taken offense, as I am just trying to help guide correctly, this is dangerous and not a game. Stay safe.
 
  • Like
Reactions: Dave Russo, roger_m and harlan4096
F

ForgottenSeer 97327

Well, you could look whether your router has "network partition" or "AP-isolation" (put it on again when you want to stream or cast something to another device).
Sometimes the GUEST-network also has an option to prevent guest-clients seeing other traffic.

Remember there is no 100% safety possible, but isolation and virtualisation are your best friends when upping security.
 
Last edited by a moderator:
  • Like
Reactions: Dave Russo, Zartarra, roger_m and 1 other person

Similar threads

Cosmic1764
Serious Discussion How to remove Browser Hijacker
Replies
4
Views
275
General Security Discussions
Cosmic1764
Cosmic1764
Xeno1234
    • Like
Question Is running a stealer malware in a fresh VM safe?
Replies
35
Views
1,807
General Security Discussions
Xeno1234
Xeno1234
C
    • Like
  • Question
Question How to judge a file is safe or not in Virustotal?
Replies
28
Views
1,165
General Security Discussions
Practical Response
Practical Response

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top