Given
how do people developing malware avoid wrecking the systems that they use to develop said malware?
Developing malware and destroying environments is the same as investigating malware to reverse it.
Your assumption about developers not being able to use different systems is incorrect. The below allow a developer to host multiple virutal machines for testing against different platform images.
Virutalization allows the machines to be torn down and spun up again after deploying the malware and executing it. This is how forensic investigators reverse malware by running it in an isolated environment where they can watch how it interacts with the system - the process is the same for developing it.
Buying a second hand machine is cheap and would be done if you want the malware to target physcial machines and detect virtual environments. Take some disk images and you're good to go.
Modern malware is often made up of different stages or modules. Modular development results in it being more difficult to reverse engineer it also allows testing of the modules seperate to the whole. This way a destructive payload is not executed per test.
Not a malware developer but here's what I suspect to be the case and what I've heard in other seminars.
First of all, there are a lot of kits available on the dark web where you can purchase malware and malware development kits as a service. Someone already built the components; now just assemble the components and let loose!
Keep in mind that organized cybercrime makes a lot of money. It's out of kids' hands and in the hands of true professionals. Given that, I'd suspect that they have labs, etc, where they can test and develop. Most large security companies talk about there being, for lack of a better term, professional malware enterprises that do their work in office buildings.
Even if it's someone working in a basement somewhere, these people are criminals. Theft of resources isn't a huge problem for them. Maybe they steal hardware. Maybe they steal compute capacity from unsuspecting victims. If it were me, I'd have copies of VMWare and build and test on virtual machines. Those can be reset back to an original configuration quite easily.
Keep in mind what malware is now. It used to be centered on destruction. Now it's centered on financial gain, exfiltrating data to a known host somewhere else on the internet. So the risks to the developer, although high, aren't the loss of their hardware any more. The developers also most likely know how to prevent any of their data from exfiltrating - were I to do that, I'd make sure that I knew how to close that particular door.
