0

I'm trying to setup a VM that will try to mimick malicious web browsing behavior. It should download malware and just get infected.

There are a lot of open source threat intel feeds with bad IPs and URLs. Is there a way to have it visit malicious sites and get infected?

In case you are wondering why, it's in a test lab and I'm trying to test how well my IDS and malware sandboxes work.

Bilal
  • 1

2 Answers2

1

I'm trying to setup a VM that will try to mimick malicious web browsing behavior.

It sounds like you are trying to mimick web browsing of malicious sites, not malicious browsing of web sites.

It should download malware and just get infected.

As a precaution, you should run the VM on a system that is physically isolated from the rest of your network (for example, an old laptop). Ideally, tape over the webcam, and disconnect the microphone, BT, WiFi (though that may require opening it up). It should have wired Internet only with a firewall that prevents it from accessing the rest of your network, such as a so-called "DMZ" configuration.

There are a lot of open source threat intel feeds with bad IPs and URLs. Is there a way to have it visit malicious sites and get infected?

Shouldn't be too difficult to write a script that repeatedly opens firefox with a URL from a list and then kills firefox a few tens of seconds later after the malicious website has had time to do its thing.

In case you are wondering why, it's in a test lab and I'm trying to test how well my IDS and malware sandboxes work.

Great. Just be careful. Be very careful.

DepressedDaniel
  • 1,240
  • 6
  • 8
  • Thanks Daniel, it's isolated in a virtual environment. I can easily script a browser to go to a url but how can I have it interact and click on Web Links on the site? Can I have it interact with a malicious site and actively download files or malware? – Bilal Dec 31 '16 at 01:05
  • @Bilal I wouldn't rely on virtualization alone, there have been a few exploitable hypervisor bugs in the past. – DepressedDaniel Dec 31 '16 at 01:08
  • @Bilal Well, I was thinking more in terms of browser exploits that wouldn't need user interaction. Malware that requires manual installation is pretty low-hanging fruit. – DepressedDaniel Dec 31 '16 at 01:09
  • It's virtualized and isolated from my production network using esxi – Bilal Dec 31 '16 at 01:11
  • I understand downloading malware is low hanging fruit but that's what I want to emulate. I have a Fire Eye that should extract these files and analyze them. – Bilal Dec 31 '16 at 01:13
  • @Bilal The type of activity your trying to emulate could easily be achieved using [CasperJS](http://casperjs.org). In addition screenshots could be taken of each site as their opened. – C.Liddell Dec 31 '16 at 01:20
0

Why not write a web crawler/spider and give it a list of suspicious domains to crawl through and download files and test over them?

Anders
  • 64,406
  • 24
  • 178
  • 215
StackB00m
  • 170
  • 2
  • 8
  • I can easily give a list of domains to browse but how do i tell the script what to download files? How do I target files to be downloaded? – Bilal Dec 31 '16 at 05:23
  • so u need malware/spyware/adware samples , i can give u a list of samples for test, just wget the'm all – StackB00m Dec 31 '16 at 05:41