Set up VirtualBox for Testing Malware

[AtlBo]

I was doing research to set a malware testing VM (VirtualBox), and I found this at StackExchange:

How can I safely test malware in a VM?

They all seem convinced that it's too dangerous to test malware while connected to the internet. I can see their point, if the testing could potentially damage some other network. I could also see how a provider might respond to someone broadcasting malware all over the place. I'd like to know how experienced testers feel about this.

I am installing XP SP3, so I won't be able to test everything. That's ok with me, as I am going to take the whole thing slow, and I am more concerned about the safety of the local network and of others. Don't know if there are extra security measures to take with XP or not.

If I am going to test, I want to have an internet connection. Here are some questions I have:
-What is an NAT and how to set up with VirtualBox?
-When installing XP, connect through local area network (home) or connect directly to the internet?
-Is it necessary to have folder sharing? I haven't installed the tools for this.
-Good free VPN for this purpose. Anyone had problems with your provider or a VPN over this?
-Internet considerations allowed, what are the otherwise lockdown settings for testing? A link or anything is good.

Advice and comments is/are great.

 

[Ink]

Thanks for sharing.

We have hundreds of similar threads and posts scattered around, but here's one Pinned under General Security Discussions.

Protecting Host Machine from Malware escaping a VM.

Some threads were moved or merged, so I'll need to find them again.

[watch this space]

• For AV Testers: https://malwaretips.com/threads/how-to-perform-dynamic-malware-testing-for-hub-testers.55290/
• https://malwaretips.com/threads/malware-analysis-rules.61915/
• Question - About VPN and Malware testing tips?
• How-to Guide - [How To] Set up VM for malware testing (my method)

 

[AtlBo]

Thanks. I searched and found only two links which didn't have the details I was hoping for. Google had some that helped.

I imagine I will have some questions after reading, as I am insanely meticulous when it comes to danger.

 

[Evjl's Rain]

you can install windows 7 Thin PC which is extremely light on resource. However, it lacks some of the features that can be annoying. I switched to W7 Pro because it removed Snipping tool + I couldn't install or restore .NET framework 3.5. I still think w7 is more compatible than XP

 

[AtlBo]

you can install windows 7 Thin PC which is extremely light on resource. However, it lacks some of the features that can be annoying. I switched to W7 Pro because it removed Snipping tool + I couldn't install or restore .NET framework 3.5. I still think w7 is more compatible than XP

Evjl's Rain. Really appreciate your input. I admire your work you have been doing, and I would like to emulate the precautions you take prior to testing.

I have set up a VM for XP SP3 with all the updates and programs. I can always create another VM with W7 Thin. Do you think I should? If it can handle .NET 4.5, maybe this is the best plan. On XP the Efficacy test you linked won't install, so W7 would be better if I can get that to work. Tried it on another XP SP3 PC, so I know it's a .NET 4.5 thing. I don't really need the clipping tool or I can add one.

When locking down for testing should I:
1. Disable USB to the VM? Potential is here for a mistake
2. Disable DVD to the VM? same
3. To avoid trouble with ISP, I want to add VPN to the host. Is there a free one that will work well for this? Just need a part time VPN.

Not going to set up share folders, so I guess I will download everything straight from the internet. It's the best I can think of for now.

 

[Evjl's Rain]

Evjl's Rain. Really appreciate your input. I admire your work you have been doing, and I would like to emulate the precautions you take prior to testing.

I have set up a VM for XP SP3 with all the updates and programs. I can always create another VM with W7 Thin. Do you think I should? If it can handle .NET 4.5, maybe this is the best plan. On XP the Efficacy test you linked won't install, so W7 would be better if I can get that to work. Tried it on another XP SP3 PC, so I know it's a .NET 4.5 thing. I don't really need the clipping tool or I can add one.

When locking down for testing should I:
1. Disable USB to the VM? Potential is here for a mistake
2. Disable DVD to the VM? same
3. To avoid trouble with ISP, I want to add VPN to the host. Is there a free one that will work well for this? Just need a part time VPN.

Not going to set up share folders, so I guess I will download everything straight from the internet. It's the best I can think of for now.

I don't know if W7 Thin PC can install .NET 4.5 bt I don't think it can. It's so restricted, not ideal to test malwares because it's completely free. You can install a full windows 7 and take a snapshot
yes you can disable all those USB and DVD, for your safety
you can use windscribe VPN (10Gb free) or hotspotshield. I have 50Gb of windscribe monthly but I have used only 2.6Gb in total for making those videos, and sometimes I forgot to turn it off after testing. 10Gb is more than enough in this case

you can use a USB or a shared folder but make sure you set them as read-only. Without the help of shared folder, my testing of ransomware would be a nightmare because ransomwares encrypt everything. I can just quickly copy those samples from my read-only shared folder

 

[AtlBo]

Evjl's thanks and this has been very helpful. I think I may upload the files to OneDrive.

I had an idea today about Virus Total. I think it's owned by Google. If so, how amazing would it be if Virus Total via Google produced a testing app that contained a VPN just for testers and then also uploaded tested files automatically? I mean if traffic through the app from files launched in the container were routed through VT, they could snatch payloads directly when on their way back and still send them to the test machine. Free testers for VT. If the app has built in security so that files can only be opened from the app (normal executables outside programs areas), then user couldn't even make a mistake opening one outside. This brain works too hard, but I hope someone will think of testers this way some day.

 

[jamescv7]

I've experienced malware testing in VM last 3 years and never suffered infections on the system.

By theory and analysis, then yes a possibility of infections may occur since the virtualization can break out especially when incorrectly configure.

A vulnerability of Virtual Machine may contribute for possible hindrance of isolation since it can cause leakage.

However as long you set the connection to NAT and turned off file sharing then everything will be fine.

------------------

Majority of cases happened came from human error.

 

[AtlBo]

This is what worries me. I decided to take things slowly. Seems Windscribe is helping me since the confirmation e-mail for the 10GB free has not appeared yet after a couple of hours. I submitted a ticket.

Should I create another thread for deciding which malwares to test? I was going to see if I could join MalwareBlocker's web page for one.

 

[Zero Knowledge]

Unless your a terrorist or a high level target for a nation state you will never see malware break out of a VM.

Breaking out of a VM would take multiple zero day vulnerabilities chained together. Very costly attack.

One think you need to consider with VirtualBox is changing the mac address. Novirusthanks makes a simple mac changer that works.

You also need to edit the cpu settings of VirtualBox. If malware detects the system running only 1 cpu then it will not infect the VM.

 

[AtlBo]

ZK...is there a way to set the machine processors to 2 after the machine is finalized? If I have to start over, it will still be a good experience for me, so I'm not worried if that is the case.

 

[askmark]

You also need to edit the cpu settings of VirtualBox. If malware detects the system running only 1 cpu then it will not infect the VM.

Can you please elaborate on why it's neccessary to build a VM with two or more CPU's

 

[brambedkar59]

Can you please elaborate on why it's neccessary to build a VM with two or more CPU's

Sorry for replying to a dead thread. I was going through older posts in MT, and I couldn't resist after reading this.
I think the reason is pretty simple, the single core processors are extinct, so it would make the job of malware to see if it's a VM or not pretty simple. I had one from AMD Athelon LE-1640, almost 10 years ago.

 

[Deleted member 178]

There it is :

VBoxHardenedLoader/install.md at master · hfiref0x/VBoxHardenedLoader · GitHub