Malware testing and ISP issues

[Wave]

Ok, so what you do when VPN provider blocks your IP because it's essentially doing the same my system was doing to my ISP directly? Just keep on changing VPN providers? Or hope they just don't care?

Chances are you won't have to do anything because the chances of CyberGhost doing anything are very little - they don't track who is who, so they won't even know who is using their IP addresses for malware testing.

Using a VPN is an essential because the last thing you want is for an attacker to obtain your real IP address; they can attempt to trace back your location via geographical methods based on the IP address, or they can perform network attacks using your IP address to use up your internet resources (bandwidth - via a DDoS attack) and cause your internet to temporarily crash (e.g. they may add your IP address to an existing botnet they have deployed, resulting in X amount of other infected zombie machines attacking your network).

That being said, it's important you simulate the network traffic as @Cch123 mentioned also/instead, and only allow the network activity once you know what is going to really happen, otherwise you could end up affecting others from your own Virtual Environment, even if you are only performing malware testing (e.g. botnet launches on your Virtual Environment, starts attacking enterprise companies/individuals -> now your system is doing this work thanks to the malware, but because you allowed the network activity).

Malware testing/analysis is a really time consuming thing to get right, and we all make mistakes... Hell, I made a mistake about 20 minutes ago, so no one can perfect it... It's like an art, it cannot be rushed too much or you will miss things but has to be done properly to get it right.

I recommend you follow advice from @Cch123 and @tim one - they have a lot of experience when it comes to malware analysis so they definitely know what they are doing, it'd be a wise decision to take their points on-board.

 

[Wave]

No way I would test without a VPN, because what's stopping that malware from connecting your IP address to some highly illegal activity?

Nothing is stopping it, nor the attacker from performing manual non-automated attacks. It's a good security practice to use VPN when testing malware, or entirely disable the internet connection altogether (and then simulate the network activity as @Cch123 suggested - which is the most safest option of course).

@RejZoR There is a free version of CyberGhost available which you can install on your Host system, you can enable it prior to performing dynamic malware testing on the Virtual Environment. Don't use it on the VM itself because this isn't as secure - malware could potentially disable the VPN (manipulation of the product).

Alternatively, you could disable the internet connection when performing dynamic testing in your Virtual Environment and you can attempt to rely on online automated sandbox services to perform the execution with the network activity enabled (preventing your system from being utilized for bad network actions but also allowing you to understand what will occur/go on). A good service would be Hybrid-Analysis.

 

[RejZoR]

I'm using VPN now. It just sucks that I've again forgotten to re-enable it for repeated test and the assholes will be again bitching about it after the holidays. And yeah, I'm using it on my host system, not inside VM, for that very reason.

Ideal would be to selectively control the traffic on my host, but if I'm honest, I'm just too lazy to do that.

 

[Wave]

Ideal would be to selectively control the traffic on my host, but if I'm honest, I'm just too lazy to do that.

You can just use a firewall on your Host, it'll pick-up the connections coming from the Virtual Environment if it was developed properly (e.g. uses a device driver to filter the traffic from low-level as opposed to user-mode methods to monitor the traffic activity, which would be flawed).

I assume you already know a lot about that as it is so I won't detail further, you know what you're doing.

 

[FleischmannTV]

the assholes will be again bitching about it after the holidays.

You are intentionally participating in adfraud, DDoS attacks and infection attempts. The fact that this is happening inside a virtual machine makes no difference. Don't be surprised when your ISP cuts you off entirely and then we will see who is going to bitch.

 

[RejZoR]

BECAUSE I BLOODY FORGOT TO ENABLE VPN FOR A SHORT WHILE, JESUS...

 

[Cch123]

Well, VPN just masks my IP which doesn't really help anyone (other than they won't know it was my machine) and blocking connection makes droppers pretty much useless. It's not like botnet will just infect people on its own. Botnets work when users have a client running. Which in my case runs for the duration of the test and then VM gets reset. As for DOS/DDOS, how much packets can my machine alone generate to deny ones service? It's not like I have a super fast line or anything. I can limit traffic to like 1Mbit to keep it down as much as possible, but that would be it.

And this, my friend, is the problem. Even if your machine sends a single mb of traffic to a site under DDOS, it can contribute a lot if millions of other machines are doing the same. 1 million Mb is 1 Terabyte, which is a lot.

I would have to say a VPN isn't solving the problem, but, it may just be the best compromise option available. My method of using playbacks of traffic as stated above would be the safest and most ethical, but its also quite time consuming and thus its usually malware analysts who use it. If you wish to test antiviruses with large volumes of samples, such a technique is quite impractical due to both the skill level involved and time constraints. If you reset your test machine to an uninfected baseline frequently, the chance of malware in the machine launching attacks within the short timeframe is lower, thus using a VPN is probably okay.

 

[RejZoR]

Well, our work is for the greater good. If I test products and show which ones are the most effective to combat all this, it means long term, there will be less of this crap doing DDoS or any kind of other attacks. So, yeah, I consider me being a part of it for a short time irrelevant. Some may disagree, but frankly, I don't care and I'll defend my stance any time.

 

[jamescv7]

This only shows that you are in a region where cyberattacks is an issue and ensuring the safetyness for all customers.

Better go to VPN for your privacy and more convenience.