Malware testing and ISP issues

RejZoR

RejZoR

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2016
699
3,313
1,368
Slovenia/Europe
www.rejzor.tk
So, I got a call today from my ISP that our top level networking authority Si-CERT has reported botnet activity on one of their systems (my host system) and have issued a report.

I really don't want to stop testing, but it'll be bloody annoying if my ISP will be constantly getting reports. And running VM's offline will suck, because that means you're not really getting real conditions for malware and for security software where I want it to rely on live connection.

Anyone of you guys who also do live malware testing in VM systems also encountered any of such problems with your ISP's?
 
  • Like
Reactions: AtlBo, DardiM, KGBagent47 and 7 others
Yes it is very important to use a VPN connection because virtual machine NAT config. assumes the sharing of the host IP, so it is necessary to protect our real IP from malware access.
 
  • Like
Reactions: AtlBo, Venustus, DardiM and 8 others
You shouldn't be connecting your VM with live malware to the internet at all. Doing so is very irresponsible if you do not understand the samples you are using well. For instance, what happens if the botnet you are testing starts infecting other people's network? Or launch a DDOS attack?

If you really need, which is very often not the case, use a transparent proxy for offline malware testing, which can simulate any internet connection that the botnet needs. Alternatively if you are visiting malware sites to download malware for live testing, use a firewall to block inappropriate connections. The firewall can be either software based, installed on the host machine (not VM), or hardware based.

Just a note of warning, some ISPs will revoke your internet access if they detect too much attack traffic from your network, or if someone complains.
 
  • Like
Reactions: AtlBo, Wave, bayasdev and 5 others
Well, VPN just masks my IP which doesn't really help anyone (other than they won't know it was my machine) and blocking connection makes droppers pretty much useless. It's not like botnet will just infect people on its own. Botnets work when users have a client running. Which in my case runs for the duration of the test and then VM gets reset. As for DOS/DDOS, how much packets can my machine alone generate to deny ones service? It's not like I have a super fast line or anything. I can limit traffic to like 1Mbit to keep it down as much as possible, but that would be it.
 
  • Like
Reactions: AtlBo and Der.Reisende
RejZoR said:
Well, VPN just masks my IP which doesn't really help anyone (other than they won't know it was my machine) and blocking connection makes droppers pretty much useless. It's not like botnet will just infect people on its own. Botnets work when users have a client running. Which in my case runs for the duration of the test and then VM gets reset. As for DOS/DDOS, how much packets can my machine alone generate to deny ones service? It's not like I have a super fast line or anything. I can limit traffic to like 1Mbit to keep it down as much as possible, but that would be it.
Click to expand...
Well it seems that your ISP does not think like you...
 
  • Like
Reactions: AtlBo, Venustus, DardiM and 2 others
Yeah, well, they have no clue it's all happening in controlled environment. They think my actual system is infected and doing all these horible things. Which would be the case for casuals, but not for people like us who specifically hang around security communities... But again, they don't know what's going on.

What's funny is that I've been doing this before and it never bothered anyone. All this crap happening since I've upgraded to fiber optics...
 
  • Like
Reactions: AtlBo, Wave and MalwareBlockerYT
RejZoR said:
Yeah, well, they have no clue it's all happening in controlled environment. They think my actual system is infected and doing all these horible things. Which would be the case for casuals, but not for people like us who specifically hang around security communities... But again, they don't know what's going on.

What's funny is that I've been doing this before and it never bothered anyone. All this crap happening since I've upgraded to fiber optics...
Click to expand...
Have you not been using a VPN?

VPNs are a crucial step when malware testing.
 
  • Like
Reactions: AtlBo, Wave and Svoll
Well, you're not really solving anything by using it really. Instead of ISP seeing "botnet" packets, the VPN provider will. Traffic is the same on the output end. So, you're not really fixing anything, you're just placing a virtual blame on someone else.
 
  • Like
Reactions: AtlBo
@RejZoR
Don't you think that using VPN might be the solution, considering that those are malware testers that are advising you to use one? Yeah, you may have a point, but with their expertise, maybe they are right. :)

I know you're an expert, by the way. So, I'm just offering a food for thought, and not trying to argue with you because I'll sure lose. :D
 
  • Like
Reactions: AtlBo, Venustus, DardiM and 4 others
RejZoR said:
If everyone is placing blame on others using VPN, then so will I.
Click to expand...
By using a VPN your real IP is hidden and the publicly visible IP will be the one of the server to which you are connected and then the server of the VPN service provider, of course via tunneling so that your data are usually encrypted.
Actually I don't think that the "blame" falls on someone else.
However, I'm just saying my opinion in relation to your specific question but this is your issue not of the ISP.
According to what you're saying, your real IP is blacklisted and if these are the facts I do not see other logical alternative except to stop malware analysis or do it offline.
 
  • Like
Reactions: AtlBo, Venustus, DardiM and 4 others
Ok, so what you do when VPN provider blocks your IP because it's essentially doing the same my system was doing to my ISP directly? Just keep on changing VPN providers? Or hope they just don't care?
 
  • Like
Reactions: AtlBo
RejZoR said:
Well, you're not really solving anything by using it really. Instead of ISP seeing "botnet" packets, the VPN provider will. Traffic is the same on the output end. So, you're not really fixing anything, you're just placing a virtual blame on someone else.
Click to expand...

I'm doing malware testing on a VM for 2 years until now. I had only once a report of my ISP because I forgot to activate the VPN.
It is highly recommended to use a VPN if you are testing with malware. It seems you want to ignore the experience of others...
 
  • Like
Reactions: AtlBo, Venustus, DardiM and 4 others
Correct me if I am wrong, A proper VPN is suppose to assist in anonymity, not store logs or monitor what user does. You wouldn't have the same issues as your ISP if you are using an VPN.
 
  • Like
Reactions: AtlBo, Venustus, DardiM and 3 others
Funny thing is, I've been doing similar testing for ages, I just wasn't recording it because my upload to Youtube was too crap and I just didn't bother. Now, it's all of a sudden an issue. It's why I never bothered VPN-ing the connection.
 
  • Like
Reactions: AtlBo
No way I would test without a VPN, because what's stopping that malware from connecting your IP address to some highly illegal activity?
 
  • Like
Reactions: AtlBo and Venustus
I would also suggest you use VPN. You can try them for free but I doubt you would make small traffic. Here's a good deal:
Promotion - Upgrade to Windscribe Pro for USD $1 per month for 12 months
Considering to buy it myself. Has tracking and ad blocker built in :)

VPN most likely will not block anything unless you run samples and let them send out spam/DDoS for hours or days. They are very strict with privacy and unless something abnormal is detected, you're good.
 
  • Like
Reactions: AtlBo
You must log in or register to reply here.

You may also like...