How can I safely test malware in a VM?

Question

This question has probably been asked several times here, but I'll ask it a bit differently.

I am trying to learn about malware and how it infects computers and how to disinfect a computer if one gets attacked. I've seen several people use virtual machines to test malware in (I've been using VirtualBox for a few years now) and I've contemplated on doing it too, but I fear that the malware might "leak out" of the VM and ruin my host computer and all of the computers on my network.

The questions I have are:

Can I test malware in VirtualBox with access to the Internet within the VM without harming my host computer or any of the other computers on my network?
If I use a real computer to test malware on (I have a junky Dell XP tower kicking around), will formatting afterwords be enough?
Can my Dell XP tower also have the Internet enabled without the malware effecting my other computers?
Even if I can't have both the Internet enabled and use malware within the VM at the same time, can that malware still "hop out" of the VM and attack my host computer?
Since I will also be 'pranking' some of those cliche Windows scammers (well, not really pranking, just testing ways that they can get in and do damage), would it be safe to use a VM, or can I even use that junky Dell of mine?
Will it also be necessary to mask my IP and MAC addresses so that they aren't logged and sent out to whoever could receive it while I'm doing the malware testing?
If I can safely execute malware within a VM, what steps are necessary for keeping my real stuff safe?

If this helps, my host computer will either be a Mac running OS X 10.8.5, or a tower running XP (not my Dell one).

And the guest will be any OS, but mainly Windows (yes, from newest to oldest)

I hope I explained this well enough for you guys.

Any and all help will be greatly appreciated.

Thank you!

When I say "running it in a VM should be perfectly fine", there has been talk of exploiting a programming error on exiting a VM. But it is way over my head of comprehension on how it works. Your fine running it in a VM without Internet access. — IT_User, May 13 '16 at 05:00
When I state "way over my head" it's not that I'm a know it all when It comes to this but that the general concensus is "your fine" — IT_User, May 13 '16 at 05:12
Thanks for the responses. What about using that junky Dell of mine? Is that okay too, if it's not connected to the Internet? — Terkey-Juice, May 13 '16 at 05:29
Yes it is. You shouldnt have any issues with just formatting. There is extremely sophisticated malware that can reside if MBR, bios, firmware, but this would be way above everyday malware. UNLESS you have peripherals attached (USB drive for example). — IT_User, May 13 '16 at 05:34
If I formatted from FAT32 to NTFS and vice versa each time the Dell tower is infected, does that lessen the chances of malware residing in the MBR? — Terkey-Juice, May 13 '16 at 06:37
I am not 100% sure of that, but there are many tools out there that will allow you to rebuild the MBR, or using a windows recovery disk should allow you to perform a low-level format which should accomplish this. — IT_User, May 13 '16 at 14:13
It may be hard to see what the malware is doing without internet access (I.e. it might need to download a payload or check in with a CnC server first). For this purpose, I put malware testing VMs behind a virtual machine that acts as a router, but transparently shoves everything through tor. — multithr3at3d, May 13 '16 at 18:18
@korockinout13 So how can I go about doing this? It sounds effective, but kinda confusing. Also, I have read in several places that using a bridged connection is best. I have even seen some people say that NAT is best. Are any of those true? — Terkey-Juice, May 14 '16 at 15:49
A bridged connection gives the machine a direct connection to your local network, which is a bad idea. NAT is okay, but it could still be possible for the machine to connect to devices on the network. An internal network with some isolating router is the best solution. — multithr3at3d, May 16 '16 at 17:01

score 5 · Answer 1 · edited Mar 17 '17 at 10:46

1/3/4/7-Access to the Internet? Not a good idea as depending on what it does, your VM could release it "into the wild". Running it in a VM should be perfectly fine if it is not connected to the internet. This answer from The Bear will go into a lot more detail regarding the malware escaping a VM. Here

2-Formatting should be fine for 99% of malware. Some can attack to other areas other than harddrive though so keep that in mind and research what you are playing with. More information here

6 - You could use a proxy, but as Munkeyoto stated, to properly analyze, you need to see the traffic.

As for your question in the comments... -Yes it is. You shouldnt have any issues with just formatting. There is extremely sophisticated malware that can reside if MBR, bios, firmware, but this would be above everyday malware. UNLESS you have peripherals attached (USB drive for example).

score 4 · Answer 2 · answered May 13 '16 at 16:56

Your 1) Can I test malware in VirtualBox with access to the Internet within the VM without harming my host computer or any of the other computers on my network?

You wouldn't want to. Suppose the malware you are analyzing is deisgned to immediately target say a bank or government machine. You could set yourself up for huge liabilities. On the one side of the equation, not having connectivity limits your results. For example, when dealing with a C&C based strain of malware you would never see any new droppers, or C&C base commands.

The fix for this would be to insert a proxy between you and the rest of the world. To do this properly, what you would need to do is watch the connections, immediate STOP the connections, validate your system is not making a malicious connection, then create an allow to malicious machine fw rule, while blocking other connections. Would look like this:

You --> run malware
Malware connects to malicious site --> get commands (here you get the address of malicious host)
You --> create a BLOCK ALL fw rule, and then create an ALLOW MALICIOUS RULE

This enables your system to ONLY talk to the malicious system. If it tries to launch attacks from your machine, the fw rules would block it. Optimally, you would want to create fake routes. E.g.:

route add 0.0.0.0/0 10.10.10.10/32

Where any and all outbound traffic go to a system (10.10.10.10/32) where on that machine you would run your network analysis tools (Wireshark, Netwitness).

Your 2) If I use a real computer to test malware on (I have a junky Dell XP tower kicking around), will formatting afterwords be enough?

Why not just create and store a ghost image, analyze, restore your ghost image. Bios based malware is rare however to be on the safe side you could password protect your bios, or run something like "regshot" to track commands being performed. Maybe even flytrap from HB Gary (if still available)

Your 3) Can my Dell XP tower also have the Internet enabled without the malware effecting my other computers?

You could never know. Some malware can download exploit tools (metasploit, etc) then scan your internal hosts for vulnerabilities

Your 4) Even if I can't have both the Internet enabled and use malware within the VM at the same time, can that malware still "hop out" of the VM and attack my host computer?

This was answered in your 3

Your 5) Since I will also be 'pranking' some of those cliche Windows scammers (well, not really pranking, just testing ways that they can get in and do damage), would it be safe to use a VM, or can I even use that junky Dell of mine?

Define "pranking." Many malware authors are very technically savvy, and common malware can determine if they are on a honeypot, running in a VM, or if something is amiss. Aside from that, many malware authors are often embedded with organized crime, so it could be a very dangerous game to play.

Your 6) Will it also be necessary to mask my IP and MAC addresses so that they aren't logged and sent out to whoever could receive it while I'm doing the malware testing?

Unclear about this statement. Define masking IP. If/when you connect to a host, you need to come from somewhere. The only solution to get proper results (what is the malware doing) the machine needs to respond to you. You could use a VPN proxy, but there is no method to spoof anything.

Your 7) If I can safely execute malware within a VM, what steps are necessary for keeping my real stuff safe?

Don't analyze malware on the same network as your "real stuff" get yourself a separate router and ONLY put that host there.

Pranking: I mean calling up a number known for pretending to be a "Certified Windows Expert" and when they need to remotely connect to my computer to "fix" the issues I don't have on it, I use a VM. An example would be here: [https://www.youtube.com/watch?v=tGGpgieEewI]
Masking an IP: By that I mean changing the public IP address in the VM so when it connects to the Internet, the IP is not my real one. — Terkey-Juice, May 14 '16 at 15:37
Also, when you say to block all connections from the VM that could be malicious, do you mean only connections being received, or both outgoing and incoming connections? — Terkey-Juice, May 14 '16 at 15:39

score 2 · Answer 3 · answered May 13 '16 at 16:32

The problem you will actually have, when using a VM, is that most malware will refuse to open its payload so you won't get a lot of research done. Researchers using VMs to dissect malware are all too common, and most malware nowadays actively prevents it by looking for clues that it's running in a VM, and staying dormant if it finds them. Keep that in mind if you pursue the virtualized method, you will probably get different results than someone doing the same tests on a bare metal system.

That being said, you should be OK using your desktop with the same precautions: limit all network access, never attach it to your local net and never provide internet access, unless you are directly watching what it is doing with a traffic sniffer and can kill it if it starts to do something malicious like fire up a DoS attack or portscan the NSA. Also, don't share any media (thumb drives, etc) on the system after the malware is deployed. If you do want to save files for later use, put a ring of red tape on the drive to make sure you don't mix it up with others.

score 0 · Answer 4 · answered May 16 '16 at 09:48

It depends which malware - if you've got a good idea of the behaviour of the particular strain of malware that you're testing, then internet access shouldn't be a problem. Of course you have to have confidence that running it won't attack any internet hosts, for example, from other reputable reports on the malware analysis.

There will always be VM breakouts possible, whether these bugs have been discovered or not is another issue though. Generally you would be safe, especially if you are only testing malware known not to have any VM exploits contained.

I recently setup a VMware Fusion network for Malware testing. Depending on the malware strain, I could setup Iptables to either block internet access (apart from DNS and other whitelisted hosts), or to allow public internet access. Access to private addresses was always prohibited - this will protect your local network from malware traversal.

My topology was as follows:

Host (Mac) <--> Debian running as IP forwarder with Iptables <--> Windows Test machine
                                                              |->  Kali box

The Kali box was there so I could also run my own custom exploits against the target machine, from an external point of view.

The Debian system had two network interfaces, this enables the network to the right to be configured with no access to the host machine, nor any external network access at all. The network to the left was configured with internet access only, and no host access.

You don't need to worry about MACs being exposed, as these are a level two network entity, so don't have any bearing on the internet connectivity of devices, only the local network. Of course, if the malware contacts any internet based services, your IP will be exposed to this, unless you configure the Debian system to VPN or Tor these connections.

The elephant in the room is that even with "trusted malware behaviour", the malware in question might download arbitrary executables from its controller host, therefore it might do anything such as attacking banking websites or trying to break out of the VM. Therefore if this is a concern, you would have to mimic the controller host using another VM if you were to truly analyse the malware's behaviour, and disallow internet access totally.

How can I safely test malware in a VM?

4 Answers4