How can I safely test malware in a VM?

Question

This question has probably been asked several times here, but I'll ask it a bit differently.

I am trying to learn about malware and how it infects computers and how to disinfect a computer if one gets attacked. I've seen several people use virtual machines to test malware in (I've been using VirtualBox for a few years now) and I've contemplated on doing it too, but I fear that the malware might "leak out" of the VM and ruin my host computer and all of the computers on my network.

The questions I have are:

1. Can I test malware in VirtualBox with access to the Internet within the VM without harming my host computer or any of the other computers on my network?

2. If I use a real computer to test malware on (I have a junky Dell XP tower kicking around), will formatting afterwords be enough?

3. Can my Dell XP tower also have the Internet enabled without the malware effecting my other computers?

4. Even if I can't have both the Internet enabled and use malware within the VM at the same time, can that malware still "hop out" of the VM and attack my host computer?

5. Since I will also be 'pranking' some of those cliche Windows scammers (well, not really pranking, just testing ways that they can get in and do damage), would it be safe to use a VM, or can I even use that junky Dell of mine?

6. Will it also be necessary to mask my IP and MAC addresses so that they aren't logged and sent out to whoever could receive it while I'm doing the malware testing?

7. If I can safely execute malware within a VM, what steps are necessary for keeping my real stuff safe?

If this helps, my host computer will either be a Mac running OS X 10.8.5, or a tower running XP (not my Dell one).

And the guest will be any OS, but mainly Windows (yes, from newest to oldest)

I hope I explained this well enough for you guys.

Any and all help will be greatly appreciated.

Thank you!

Answer 1

1/3/4/7-Access to the Internet? Not a good idea as depending on what it does, your VM could release it "into the wild". Running it in a VM should be perfectly fine if it is not connected to the internet. This answer from The Bear will go into a lot more detail regarding the malware escaping a VM. Here

2-Formatting should be fine for 99% of malware. Some can attack to other areas other than harddrive though so keep that in mind and research what you are playing with. More information here

6 - You could use a proxy, but as Munkeyoto stated, to properly analyze, you need to see the traffic.

As for your question in the comments... -Yes it is. You shouldnt have any issues with just formatting. There is extremely sophisticated malware that can reside if MBR, bios, firmware, but this would be above everyday malware. UNLESS you have peripherals attached (USB drive for example).

Answer 2

Your 1) Can I test malware in VirtualBox with access to the Internet within the VM without harming my host computer or any of the other computers on my network?

You wouldn't want to. Suppose the malware you are analyzing is deisgned to immediately target say a bank or government machine. You could set yourself up for huge liabilities. On the one side of the equation, not having connectivity limits your results. For example, when dealing with a C&C based strain of malware you would never see any new droppers, or C&C base commands.

The fix for this would be to insert a proxy between you and the rest of the world. To do this properly, what you would need to do is watch the connections, immediate STOP the connections, validate your system is not making a malicious connection, then create an allow to malicious machine fw rule, while blocking other connections. Would look like this:

You --> run malware
Malware connects to malicious site --> get commands (here you get the address of malicious host)
You --> create a BLOCK ALL fw rule, and then create an ALLOW MALICIOUS RULE

This enables your system to ONLY talk to the malicious system. If it tries to launch attacks from your machine, the fw rules would block it. Optimally, you would want to create fake routes. E.g.:

route add 0.0.0.0/0 10.10.10.10/32

Where any and all outbound traffic go to a system (10.10.10.10/32) where on that machine you would run your network analysis tools (Wireshark, Netwitness).

Your 2) If I use a real computer to test malware on (I have a junky Dell XP tower kicking around), will formatting afterwords be enough?

Why not just create and store a ghost image, analyze, restore your ghost image. Bios based malware is rare however to be on the safe side you could password protect your bios, or run something like "regshot" to track commands being performed. Maybe even flytrap from HB Gary (if still available)

Your 3) Can my Dell XP tower also have the Internet enabled without the malware effecting my other computers?

You could never know. Some malware can download exploit tools (metasploit, etc) then scan your internal hosts for vulnerabilities

Your 4) Even if I can't have both the Internet enabled and use malware within the VM at the same time, can that malware still "hop out" of the VM and attack my host computer?

This was answered in your 3

Your 5) Since I will also be 'pranking' some of those cliche Windows scammers (well, not really pranking, just testing ways that they can get in and do damage), would it be safe to use a VM, or can I even use that junky Dell of mine?

Define "pranking." Many malware authors are very technically savvy, and common malware can determine if they are on a honeypot, running in a VM, or if something is amiss. Aside from that, many malware authors are often embedded with organized crime, so it could be a very dangerous game to play.

Your 6) Will it also be necessary to mask my IP and MAC addresses so that they aren't logged and sent out to whoever could receive it while I'm doing the malware testing?

Unclear about this statement. Define masking IP. If/when you connect to a host, you need to come from somewhere. The only solution to get proper results (what is the malware doing) the machine needs to respond to you. You could use a VPN proxy, but there is no method to spoof anything.

Your 7) If I can safely execute malware within a VM, what steps are necessary for keeping my real stuff safe?

Don't analyze malware on the same network as your "real stuff" get yourself a separate router and ONLY put that host there.

Answer 3

The problem you will actually have, when using a VM, is that most malware will refuse to open its payload so you won't get a lot of research done. Researchers using VMs to dissect malware are all too common, and most malware nowadays actively prevents it by looking for clues that it's running in a VM, and staying dormant if it finds them. Keep that in mind if you pursue the virtualized method, you will probably get different results than someone doing the same tests on a bare metal system.

That being said, you should be OK using your desktop with the same precautions: limit all network access, never attach it to your local net and never provide internet access, unless you are directly watching what it is doing with a traffic sniffer and can kill it if it starts to do something malicious like fire up a DoS attack or portscan the NSA. Also, don't share any media (thumb drives, etc) on the system after the malware is deployed. If you do want to save files for later use, put a ring of red tape on the drive to make sure you don't mix it up with others.

Answer 4

It depends which malware - if you've got a good idea of the behaviour of the particular strain of malware that you're testing, then internet access shouldn't be a problem. Of course you have to have confidence that running it won't attack any internet hosts, for example, from other reputable reports on the malware analysis.

There will always be VM breakouts possible, whether these bugs have been discovered or not is another issue though. Generally you would be safe, especially if you are only testing malware known not to have any VM exploits contained.

I recently setup a VMware Fusion network for Malware testing. Depending on the malware strain, I could setup Iptables to either block internet access (apart from DNS and other whitelisted hosts), or to allow public internet access. Access to private addresses was always prohibited - this will protect your local network from malware traversal.

My topology was as follows:

Host (Mac) <--> Debian running as IP forwarder with Iptables <--> Windows Test machine
                                                              |->  Kali box

The Kali box was there so I could also run my own custom exploits against the target machine, from an external point of view.

The Debian system had two network interfaces, this enables the network to the right to be configured with no access to the host machine, nor any external network access at all. The network to the left was configured with internet access only, and no host access.

You don't need to worry about MACs being exposed, as these are a level two network entity, so don't have any bearing on the internet connectivity of devices, only the local network. Of course, if the malware contacts any internet based services, your IP will be exposed to this, unless you configure the Debian system to VPN or Tor these connections.

The elephant in the room is that even with "trusted malware behaviour", the malware in question might download arbitrary executables from its controller host, therefore it might do anything such as attacking banking websites or trying to break out of the VM. Therefore if this is a concern, you would have to mimic the controller host using another VM if you were to truly analyse the malware's behaviour, and disallow internet access totally.