Question Is running a stealer malware in a fresh VM safe?

[Shadowra]

Is running a stealer malware in a fresh VM safe?
If you were to run a stealer, and it doesnt try to escape the VM, would it be safe? Is there anything to steal? Could the system info of the VM being stolen be of harm?
This is saying no extra passwords, nothing logged in, etc.

I've been working with virtual machines for a very long time, both personally and now in video, and I've learned a lot about malware evasion.

Not all virtualization software works the same way, and many have significant vulnerabilities when it comes to malware.

I highly recommend VMware and configuring your VM in Bridge mode rather than NAT. In NAT, your host PC acts as a gateway and is vulnerable to malware (I got infected by Virut that way a long time ago...).

In Bridge mode, your VM connects directly to your internet router. You'll need a VPN to hide your IP since you'll be connecting to C&C servers, which are often controlled by hackers. If you have a NAS, disconnect it, as several Ransomware strains also encrypt network shares!!

 

[Xeno1234]

I've been working with virtual machines for a very long time, both personally and now in video, and I've learned a lot about malware evasion.

Not all virtualization software works the same way, and many have significant vulnerabilities when it comes to malware.

I highly recommend VMware and configuring your VM in Bridge mode rather than NAT. In NAT, your host PC acts as a gateway and is vulnerable to malware (I got infected by Virut that way a long time ago...).

In Bridge mode, your VM connects directly to your internet router. You'll need a VPN to hide your IP since you'll be connecting to C&C servers, which are often controlled by hackers. If you have a NAS, disconnect it, as several Ransomware strains also encrypt network shares!!

Thank you. I’m not worried about malware escaping - I have default deny on the host and a VPN on the host. I’m wondering if anything on a fresh VM being taken by a stealer would be an issue for me. It’s possible that if it’s a stealer they have my IP, not sure what that would entail

 

[ForgottenSeer 103564]

Is running a stealer malware in a fresh VM safe?
If you were to run a stealer, and it doesnt try to escape the VM, would it be safe? Is there anything to steal? Could the system info of the VM being stolen be of harm?
This is saying no extra passwords, nothing logged in, etc.

I want to leave you a piece of advice than im stepping out of this topic as it is not my intention to cause anyone an issue nor cause disagreements, as im only here in this forum to keep up to date on latest trands "all in one place" and speak with older members i have known for some time.

First and foremost, im going to assume at your age, you are still living at home and doing all of this on your parents router/network correct? This above all else is vastly important. If they do their banking, credit cards/shopping ect on this network, i would not advise using it to experiment with malware. Virtual machines are awesome but not infallible, they have bugs/issues/vulnerabilities just like any other piece of software. Incorrectly configured factors in as well.

I understand your drive and desire to learn, i still do that at my age of 50 plus. There are logical steps to take to achieve better results, with less chances taken. One would be to study malware by text. Learn of different variations, and research them, how and what they do, where they store themselves on the machine, how they interact with the host system, how they are distributed ect, you can do this without physically messing with live malware. Learn the software you would utilize, study it well, make clearly defined/strategically placed contingency plans should something go sideways in a test. Learn analysis tools for not only monitoring the system in realtime to see where and how the sample drops, but also monitor TCP/UDP connections on the machine once a sample is executed. learn all of these tools, and software, become familiar with malware, then when you can obtain your own personal private network to test on you will be prepared to do so. Take classes in between, learn all you can.

My words in this threads were not to derail you from learning, but to teach you to do so with care, as this is no joke, malware is dangerous, especially to the uninformed/inexperienced.

Good luck young man, as the world needs more advanced users fighting the good fight against malware.

 

[Jonny Quest]

@Ultimate Vision Very astute observation. Who else could, possibly be affected by the malware research?

First and foremost, im going to assume at your age, you are still living at home and doing all of this on your parents router/network correct? This above all else is vastly important. If they do their banking, credit cards/shopping ect on this network, i would not advise using it to experiment with malware. Virtual machines are awesome but not infallible, they have bugs/issues/vulnerabilities just like any other piece of software. Incorrectly configured factors in as well.

 

[B-boy/StyLe/]

What’s wrong with have the additions? I had it installed when I ran some malware.

Long answer short - because the only benefits are better adaptation of the screen resolution and an easier way to share folders And, it is recommended to forgot about the shared clipboard and shared folders features when testing malware for logical reasons anyway. VM with Guest Additions will be detected, probably by any current malware. The main idea by hardening the VM is to reduce VM detection possibilities of the common VM-aware malware.

 

[Sandbox Breaker - DFIR]

KVM Hardened is the way to go. Also applying anti evasion steps so that malware has a hard time knowing. Using VMs is ok for students but not hardcore analysts.

 

[Xeno1234]

I want to leave you a piece of advice than im stepping out of this topic as it is not my intention to cause anyone an issue nor cause disagreements, as im only here in this forum to keep up to date on latest trands "all in one place" and speak with older members i have known for some time.

First and foremost, im going to assume at your age, you are still living at home and doing all of this on your parents router/network correct? This above all else is vastly important. If they do their banking, credit cards/shopping ect on this network, i would not advise using it to experiment with malware. Virtual machines are awesome but not infallible, they have bugs/issues/vulnerabilities just like any other piece of software. Incorrectly configured factors in as well.

I understand your drive and desire to learn, i still do that at my age of 50 plus. There are logical steps to take to achieve better results, with less chances taken. One would be to study malware by text. Learn of different variations, and research them, how and what they do, where they store themselves on the machine, how they interact with the host system, how they are distributed ect, you can do this without physically messing with live malware. Learn the software you would utilize, study it well, make clearly defined/strategically placed contingency plans should something go sideways in a test. Learn analysis tools for not only monitoring the system in realtime to see where and how the sample drops, but also monitor TCP/UDP connections on the machine once a sample is executed. learn all of these tools, and software, become familiar with malware, then when you can obtain your own personal private network to test on you will be prepared to do so. Take classes in between, learn all you can.

My words in this threads were not to derail you from learning, but to teach you to do so with care, as this is no joke, malware is dangerous, especially to the uninformed/inexperienced.

Good luck young man, as the world needs more advanced users fighting the good fight against malware.

Thank you. I agree with everything you’re saying - I agree I shouldn’t test malware, and I don’t anymore. I originally tried to stop it from escaping, and now I realize there are other risks.

I’m terms of learning vms, thank you all for the resources. I haven’t found anywhere too learn about them yet.

The reason I asked this question was to ensure I was safe from any risks Incase it was a stealer and took stuff from a fresh VM, and I realize running malware has some risks.

Now that I have ran malware, if there are risks, what could I do to mitigate them?

 

[Sandbox Breaker - DFIR]

When I ran it, I had Kaspersky default deny on Host along with a VPN, and both Shared Clipboard and Drag and Drop off on the VM. Any file that was placed onto the host couldnt start cause of Default Deny.

Drag and Drop and Clipboard disabling are necessary to limit the damage. All VMware escapes used VMware tools and the guest isolation was off.

All exploits I've seen exploit VMware tools on guest then the hypervisor. Try to also remove tools haha.

Take a look at the Pwntoown competition and look for VMware.

 

[Shadowra]

Thank you. I agree with everything you’re saying - I agree I shouldn’t test malware, and I don’t anymore. I originally tried to stop it from escaping, and now I realize there are other risks.

I’m terms of learning vms, thank you all for the resources. I haven’t found anywhere too learn about them yet.

The reason I asked this question was to ensure I was safe from any risks Incase it was a stealer and took stuff from a fresh VM, and I realize running malware has some risks.

Now that I have ran malware, if there are risks, what could I do to mitigate them?

Use Hybrid Analyse

 

[Xeno1234]

Since my parents do banking and stuff on the network and I’ve ran malware in a VM before am I at risk for stuff? If so is there anything I can do?

 

[simmerskool]

However, there is something very important there. "DO NOT INSTALL VirtualBox Additions. NEVER. Once installed, you may consider your VM as lost."
I guess the same is valid for VMWare too, but I didn't use VMWare (only VBox) so I can't tell.

I only run VMware (16.2.5)... exactly what is a VBox "Addition " VMware may have "additions" but I am not aware of that...

 

[simmerskool]

I highly recommend VMware and configuring your VM in Bridge mode rather than NAT. In NAT, your host PC acts as a gateway and is vulnerable to malware
...
In Bridge mode, your VM connects directly to your internet router. You'll need a VPN to hide your IP since you'll be connecting to C&C servers, which are often controlled by hackers. If you have a NAS, disconnect it, as several Ransomware strains also encrypt network shares!!

I had my VMware 16.2.5 win10 guest in Bridge mode, but than about a week ago, I had some connection issues perhaps after win_update, troubleshooting said to use NAT temporarily, and then reinstall VMware, which I have not done yet. Will try Bridge mode again today... thanks!!!

 

[ForgottenSeer 103564]

Since my parents do banking and stuff on the network and I’ve ran malware in a VM before am I at risk for stuff? If so is there anything I can do?

You can ask the talented gentleman that perform malware removal checks and help here in the forum to assist you in checking your system and network if need be, and as per any case as such its always a good idea to secure accounts by password changes, which should be performed every so often anyway.

 

[Xeno1234]

You can ask the talented gentleman that perform malware removal checks and help here in the forum to assist you in checking your system and network if need be, and as per any case as such its always a good idea to secure accounts by password changes, which should be performed every so often anyway.

I know for a fact i'm not infected with malware (default deny - it cant start) but ill ask about the network. Thank you!

 

[Sandbox Breaker - DFIR]

I've been a Professional Illusionist for around 20 years. I've done corporate all the way to children's events.

There are certain tricks that I've learned to not do around children. They imitate and try to bite coins or play with fire. This is an example of do not try this at home!

(Not to be offensive but objective)

 

[Xeno1234]

I believe that browsing in Sandboxie and deleting the browsing sandbox can prevent malware from getting on my computer. I do this. Does running a browser in a new Sandbox(ie) DURING a logon to a website protect me from malware designed to steal my login ID and password if that malware is already on my computer (outside the sandbox)? My guess is that it can still steal the information even if I'm in the sandbox. Is that correct? Edit: Moderator, just realized this is probably in the wrong place. If so, please move. merchant services small busines

I've seen something like this block it - BUT its not Sandboxie, so dont take my response as a definitive yes.