Malware testing and ISP issues

[RejZoR]

So, I got a call today from my ISP that our top level networking authority Si-CERT has reported botnet activity on one of their systems (my host system) and have issued a report.

I really don't want to stop testing, but it'll be bloody annoying if my ISP will be constantly getting reports. And running VM's offline will suck, because that means you're not really getting real conditions for malware and for security software where I want it to rely on live connection.

Anyone of you guys who also do live malware testing in VM systems also encountered any of such problems with your ISP's?

 

[tim one]

Yes it is very important to use a VPN connection because virtual machine NAT config. assumes the sharing of the host IP, so it is necessary to protect our real IP from malware access.

 

[Cch123]

You shouldn't be connecting your VM with live malware to the internet at all. Doing so is very irresponsible if you do not understand the samples you are using well. For instance, what happens if the botnet you are testing starts infecting other people's network? Or launch a DDOS attack?

If you really need, which is very often not the case, use a transparent proxy for offline malware testing, which can simulate any internet connection that the botnet needs. Alternatively if you are visiting malware sites to download malware for live testing, use a firewall to block inappropriate connections. The firewall can be either software based, installed on the host machine (not VM), or hardware based.

Just a note of warning, some ISPs will revoke your internet access if they detect too much attack traffic from your network, or if someone complains.

 

[RejZoR]

Well, VPN just masks my IP which doesn't really help anyone (other than they won't know it was my machine) and blocking connection makes droppers pretty much useless. It's not like botnet will just infect people on its own. Botnets work when users have a client running. Which in my case runs for the duration of the test and then VM gets reset. As for DOS/DDOS, how much packets can my machine alone generate to deny ones service? It's not like I have a super fast line or anything. I can limit traffic to like 1Mbit to keep it down as much as possible, but that would be it.

 

[tim one]

@Cch123 is right on that and you can also read something here:

https://malwaretips.com/threads/malware-analysis-rules.61915/

 

[tim one]

Well, VPN just masks my IP which doesn't really help anyone (other than they won't know it was my machine) and blocking connection makes droppers pretty much useless. It's not like botnet will just infect people on its own. Botnets work when users have a client running. Which in my case runs for the duration of the test and then VM gets reset. As for DOS/DDOS, how much packets can my machine alone generate to deny ones service? It's not like I have a super fast line or anything. I can limit traffic to like 1Mbit to keep it down as much as possible, but that would be it.

Well it seems that your ISP does not think like you...

 

[RejZoR]

Yeah, well, they have no clue it's all happening in controlled environment. They think my actual system is infected and doing all these horible things. Which would be the case for casuals, but not for people like us who specifically hang around security communities... But again, they don't know what's going on.

What's funny is that I've been doing this before and it never bothered anyone. All this crap happening since I've upgraded to fiber optics...

 

[MalwareBlockerYT]

Yeah, well, they have no clue it's all happening in controlled environment. They think my actual system is infected and doing all these horible things. Which would be the case for casuals, but not for people like us who specifically hang around security communities... But again, they don't know what's going on.

What's funny is that I've been doing this before and it never bothered anyone. All this crap happening since I've upgraded to fiber optics...

Have you not been using a VPN?

VPNs are a crucial step when malware testing.

 

[RejZoR]

Well, you're not really solving anything by using it really. Instead of ISP seeing "botnet" packets, the VPN provider will. Traffic is the same on the output end. So, you're not really fixing anything, you're just placing a virtual blame on someone else.

 

[RejZoR]

Also, one would expect VPN provider to ban your IP if they'd detect suspicious behaviuor through their service. Wouldn't they?

 

[XhenEd]

@RejZoR
Don't you think that using VPN might be the solution, considering that those are malware testers that are advising you to use one? Yeah, you may have a point, but with their expertise, maybe they are right.

Spoiler

I know you're an expert, by the way. So, I'm just offering a food for thought, and not trying to argue with you because I'll sure lose.

 

[RejZoR]

If everyone is placing blame on others using VPN, then so will I.

 

[tim one]

If everyone is placing blame on others using VPN, then so will I.

By using a VPN your real IP is hidden and the publicly visible IP will be the one of the server to which you are connected and then the server of the VPN service provider, of course via tunneling so that your data are usually encrypted.
Actually I don't think that the "blame" falls on someone else.
However, I'm just saying my opinion in relation to your specific question but this is your issue not of the ISP.
According to what you're saying, your real IP is blacklisted and if these are the facts I do not see other logical alternative except to stop malware analysis or do it offline.

 

[RejZoR]

Ok, so what you do when VPN provider blocks your IP because it's essentially doing the same my system was doing to my ISP directly? Just keep on changing VPN providers? Or hope they just don't care?

 

[silversurfer]

Well, you're not really solving anything by using it really. Instead of ISP seeing "botnet" packets, the VPN provider will. Traffic is the same on the output end. So, you're not really fixing anything, you're just placing a virtual blame on someone else.

I'm doing malware testing on a VM for 2 years until now. I had only once a report of my ISP because I forgot to activate the VPN.
It is highly recommended to use a VPN if you are testing with malware. It seems you want to ignore the experience of others...

 

[Svoll]

Correct me if I am wrong, A proper VPN is suppose to assist in anonymity, not store logs or monitor what user does. You wouldn't have the same issues as your ISP if you are using an VPN.

 

[RejZoR]

Funny thing is, I've been doing similar testing for ages, I just wasn't recording it because my upload to Youtube was too crap and I just didn't bother. Now, it's all of a sudden an issue. It's why I never bothered VPN-ing the connection.

 

[KGBagent47]

No way I would test without a VPN, because what's stopping that malware from connecting your IP address to some highly illegal activity?

 

[bayasdev]

Your ISP at least is concerned about cyber security, mine doesn't even care about their.

 

[Lord Ami]

I would also suggest you use VPN. You can try them for free but I doubt you would make small traffic. Here's a good deal:
Promotion - Upgrade to Windscribe Pro for USD $1 per month for 12 months
Considering to buy it myself. Has tracking and ad blocker built in

VPN most likely will not block anything unless you run samples and let them send out spam/DDoS for hours or days. They are very strict with privacy and unless something abnormal is detected, you're good.