Malware testing and ISP issues

RejZoR

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2016
699
So, I got a call today from my ISP that our top level networking authority Si-CERT has reported botnet activity on one of their systems (my host system) and have issued a report.

I really don't want to stop testing, but it'll be bloody annoying if my ISP will be constantly getting reports. And running VM's offline will suck, because that means you're not really getting real conditions for malware and for security software where I want it to rely on live connection.

Anyone of you guys who also do live malware testing in VM systems also encountered any of such problems with your ISP's?
 

tim one

Level 21
Verified
Honorary Member
Top Poster
Malware Hunter
Jul 31, 2014
1,086
Yes it is very important to use a VPN connection because virtual machine NAT config. assumes the sharing of the host IP, so it is necessary to protect our real IP from malware access.
 

Cch123

Level 7
Verified
May 6, 2014
335
You shouldn't be connecting your VM with live malware to the internet at all. Doing so is very irresponsible if you do not understand the samples you are using well. For instance, what happens if the botnet you are testing starts infecting other people's network? Or launch a DDOS attack?

If you really need, which is very often not the case, use a transparent proxy for offline malware testing, which can simulate any internet connection that the botnet needs. Alternatively if you are visiting malware sites to download malware for live testing, use a firewall to block inappropriate connections. The firewall can be either software based, installed on the host machine (not VM), or hardware based.

Just a note of warning, some ISPs will revoke your internet access if they detect too much attack traffic from your network, or if someone complains.
 

RejZoR

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2016
699
Well, VPN just masks my IP which doesn't really help anyone (other than they won't know it was my machine) and blocking connection makes droppers pretty much useless. It's not like botnet will just infect people on its own. Botnets work when users have a client running. Which in my case runs for the duration of the test and then VM gets reset. As for DOS/DDOS, how much packets can my machine alone generate to deny ones service? It's not like I have a super fast line or anything. I can limit traffic to like 1Mbit to keep it down as much as possible, but that would be it.
 

tim one

Level 21
Verified
Honorary Member
Top Poster
Malware Hunter
Jul 31, 2014
1,086
Well, VPN just masks my IP which doesn't really help anyone (other than they won't know it was my machine) and blocking connection makes droppers pretty much useless. It's not like botnet will just infect people on its own. Botnets work when users have a client running. Which in my case runs for the duration of the test and then VM gets reset. As for DOS/DDOS, how much packets can my machine alone generate to deny ones service? It's not like I have a super fast line or anything. I can limit traffic to like 1Mbit to keep it down as much as possible, but that would be it.
Well it seems that your ISP does not think like you...
 

RejZoR

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2016
699
Yeah, well, they have no clue it's all happening in controlled environment. They think my actual system is infected and doing all these horible things. Which would be the case for casuals, but not for people like us who specifically hang around security communities... But again, they don't know what's going on.

What's funny is that I've been doing this before and it never bothered anyone. All this crap happening since I've upgraded to fiber optics...
 
M

MalwareBlockerYT

Yeah, well, they have no clue it's all happening in controlled environment. They think my actual system is infected and doing all these horible things. Which would be the case for casuals, but not for people like us who specifically hang around security communities... But again, they don't know what's going on.

What's funny is that I've been doing this before and it never bothered anyone. All this crap happening since I've upgraded to fiber optics...
Have you not been using a VPN?

VPNs are a crucial step when malware testing.
 

RejZoR

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2016
699
Well, you're not really solving anything by using it really. Instead of ISP seeing "botnet" packets, the VPN provider will. Traffic is the same on the output end. So, you're not really fixing anything, you're just placing a virtual blame on someone else.
 
  • Like
Reactions: AtlBo

RejZoR

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2016
699
Also, one would expect VPN provider to ban your IP if they'd detect suspicious behaviuor through their service. Wouldn't they?
 
  • Like
Reactions: AtlBo and Svoll

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
@RejZoR
Don't you think that using VPN might be the solution, considering that those are malware testers that are advising you to use one? Yeah, you may have a point, but with their expertise, maybe they are right. :)

I know you're an expert, by the way. So, I'm just offering a food for thought, and not trying to argue with you because I'll sure lose. :D
 

RejZoR

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2016
699
If everyone is placing blame on others using VPN, then so will I.
 
  • Like
Reactions: AtlBo

tim one

Level 21
Verified
Honorary Member
Top Poster
Malware Hunter
Jul 31, 2014
1,086
If everyone is placing blame on others using VPN, then so will I.
By using a VPN your real IP is hidden and the publicly visible IP will be the one of the server to which you are connected and then the server of the VPN service provider, of course via tunneling so that your data are usually encrypted.
Actually I don't think that the "blame" falls on someone else.
However, I'm just saying my opinion in relation to your specific question but this is your issue not of the ISP.
According to what you're saying, your real IP is blacklisted and if these are the facts I do not see other logical alternative except to stop malware analysis or do it offline.
 

RejZoR

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2016
699
Ok, so what you do when VPN provider blocks your IP because it's essentially doing the same my system was doing to my ISP directly? Just keep on changing VPN providers? Or hope they just don't care?
 
  • Like
Reactions: AtlBo

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
11,043
Well, you're not really solving anything by using it really. Instead of ISP seeing "botnet" packets, the VPN provider will. Traffic is the same on the output end. So, you're not really fixing anything, you're just placing a virtual blame on someone else.

I'm doing malware testing on a VM for 2 years until now. I had only once a report of my ISP because I forgot to activate the VPN.
It is highly recommended to use a VPN if you are testing with malware. It seems you want to ignore the experience of others...
 

Svoll

Level 13
Verified
Top Poster
Well-known
Nov 17, 2016
627
Correct me if I am wrong, A proper VPN is suppose to assist in anonymity, not store logs or monitor what user does. You wouldn't have the same issues as your ISP if you are using an VPN.
 

RejZoR

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2016
699
Funny thing is, I've been doing similar testing for ages, I just wasn't recording it because my upload to Youtube was too crap and I just didn't bother. Now, it's all of a sudden an issue. It's why I never bothered VPN-ing the connection.
 
  • Like
Reactions: AtlBo
K

KGBagent47

No way I would test without a VPN, because what's stopping that malware from connecting your IP address to some highly illegal activity?
 
  • Like
Reactions: AtlBo and Venustus

Lord Ami

Level 21
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Sep 14, 2014
1,032
I would also suggest you use VPN. You can try them for free but I doubt you would make small traffic. Here's a good deal:
Promotion - Upgrade to Windscribe Pro for USD $1 per month for 12 months
Considering to buy it myself. Has tracking and ad blocker built in :)

VPN most likely will not block anything unless you run samples and let them send out spam/DDoS for hours or days. They are very strict with privacy and unless something abnormal is detected, you're good.
 
  • Like
Reactions: AtlBo

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top