Can any of the viruses spread via NAT network in VMWare?


Recommended Posts

I am planning on making videos on these 3 viruses on 3 different vm's. The VMs will be set to NAT, is that safe?

 

 

These are the viruses:

 - Cryptolocker

 - Stuxnet

 - Flame

 

So will these viruses spread to my main computer via NAT(I have norton internet security installed), or will they stay in the VM?

 

Link to comment
Share on other sites

Well, to answer your question, no. But if you had to ask, should you be doing this in the first place?

  • Like 3
Link to comment
Share on other sites

I am planning on making videos on these 3 viruses on 3 different vm's. The VMs will be set to NAT, is that safe?

 

 

These are the viruses:

 - Cryptolocker

 - Stuxnet

 - Flame

 

So will these viruses spread to my main computer via NAT(I have norton internet security installed), or will they stay in the VM?

 

 

Yes, I wouldn't chance it personally I would isolate them totally and not install a Virtual NIC.

Link to comment
Share on other sites

Well, to answer your question, no. But if you had to ask, should you be doing this in the first place?

 

There are some reasons I'm doing this:

 

1 - Fun.

2 - To teach people how to avoid them

Link to comment
Share on other sites

There are some reasons I'm doing this:

 

1 - Fun.

2 - To teach people how to avoid them

 

If you are unsure of their attack vectors, how you are teaching people to avoid them :laugh:

Link to comment
Share on other sites

I know there attacks

 

You just asked if the malware can spread to computers within the same network so if you were familiar with the attack vectors of each of those pieces of malware then why would you be asking about this?

 

The point is, if you aren't familiar with how the malware spreads then it is going to be difficult to teach people to avoid the malware or avoid spreading it yourself --> read as: you probably shouldn't be installing the malware.

  • Like 2
Link to comment
Share on other sites

Well, just put it this way, a strict NAT connection isn't going to give the client access to the host, however you need to make sure there is no connection from the client to the host (shared folders, drives, etc). If you network both client and host, then all bets are off. 

 

But I agree with what others are saying. If you're not sure as to what will happen, then you might want to reconsider. You can't really teach people about this stuff if you're not even sure. 

Link to comment
Share on other sites

Is cryptolocker safe to test without shared folder, with NAT, etc. I just haven't heard about Flame or S.net spreading via networks

 

Information stating that Flame or stuxnet can spread over a network is readily available via a cursory search of the Internet/Wikipedia. No one here is a malware expert (except maybe the guy who works for ESET), we all just googled and looked before posting. You'd be able to find the same information yourself if you searched before asking. For example, that Cryptolocker isn't a virus, but that you shouldn't be using NAT, sharing folders, or having it on your network because it can and will encrypt anything it has access to...

 

See: http://nakedsecurity.sophos.com/2013/10/18/cryptolocker-ransomware-see-how-it-works-learn-about-prevention-cleanup-and-recovery/

Link to comment
Share on other sites

Information stating that Flame or stuxnet can spread over a network is readily available via a cursory search of the Internet/Wikipedia. No one here is a malware expert (except maybe the guy who works for ESET), we all just googled and looked before posting. You'd be able to find the same information yourself if you searched before asking. For example, that Cryptolocker isn't a virus, but that you shouldn't be using NAT, sharing folders, or having it on your network because it can and will encrypt anything it has access to...

 

See: http://nakedsecurity.sophos.com/2013/10/18/cryptolocker-ransomware-see-how-it-works-learn-about-prevention-cleanup-and-recovery/

Whats the safest options for VMware/Virtualbox for Cryptolocker testing?

Link to comment
Share on other sites

I would just say to be careful.  You have shown that you aren't fully informed, and so I worry that any video you made would also be missing some info - and I think sometimes believing you are safe without actually being safe is dangerous!

 

Secondly, just a thought - is anyone going to take security advice from someone with the word "HAXOR" in their name?

  • Like 2
Link to comment
Share on other sites

Whats the safest options for VMware/Virtualbox for Cryptolocker testing?

 

As with any malware: having networking completely disabled and not having any shared folders between the systems.

Link to comment
Share on other sites

This post I recently wrote gives a thorough overview of the different network configuration options for VMs, specifically VMware and discusses potential threats from a point of view of whether or not it is a good idea to install software patches in them (original question in thread).

With NAT mode, malware (or an actual attacker who's gained access) will absolutely be able to reach out and communicate with other computers and thus spread if it has the capability to do so. The list of targets that it could potentially communicate with and attack includes all other VMs up and running in NAT mode (NAT offers no protection for the VMs within the virtual LAN), all VMs running in bridged mode, your host OS, anything accessible on your physical LAN, and any publicly accessible host out on the internet. Whether or not those hosts will get infected depends on the malware having the capability to distribute itself, whether the architecture is compatible for exploitation by that malware, configuration, whether particular patches are installed or missing and what security products may get it the way.

Your NIS package I would expect should hopefully be guarding your system from attacks incoming via not just the physical adapter, but the virtual adapters also, so your host OS should be relatively safe in some respects. Other systems listed above might be vulnerable though. It would be wise to isolate the VM from all networks when playing with malware.

Well, just put it this way, a strict NAT connection isn't going to give the client access to the host, however you need to make sure there is no connection from the client to the host (shared folders, drives, etc). If you network both client and host, then all bets are off.

But I agree with what others are saying. If you're not sure as to what will happen, then you might want to reconsider. You can't really teach people about this stuff if you're not even sure.

What? The NAT option for the VM isn't going to do anything at all to stop the guest OS reaching out and communicating with other systems / the host OS.

Also, note that as I explained in the post I linked to, with a VM in NAT mode there are multiple paths between the guest OS and another host. There's a direct connection with all other NAT based guest OSs via the virtual LAN; There's a direct connection to the host OS via the virtual LAN (VMnet8 virtual adapter in host OS), and there's the virtual NAT service through which anything out on the physical LAN (including the host OS) or the internet can be reached. All of this is covered in the post I linked to above.

 

Whats the safest options for VMware/Virtualbox for Cryptolocker testing?

To completely isolate the VM of course. Either remove any network adapters from the VM or at least tick the option to have it disabled on start, and make sure that there are no shares or anything setup to the host OS. Understand that if there is a vulnerability in the VM software itself, this could potentially result in your host OS getting compromised by a piece of malware that exploits such a vulnerability regardless of this.

Link to comment
Share on other sites

I would just say to be careful.  You have shown that you aren't fully informed, and so I worry that any video you made would also be missing some info - and I think sometimes believing you are safe without actually being safe is dangerous!

 

Secondly, just a thought - is anyone going to take security advice from someone with the word "HAXOR" in their name?

Its just a cool username :P

Link to comment
Share on other sites

Its just a cool username :p

 

off topic, but I do think everyone here is probably rolling their eyes at it. I automatically assume that anyone using haxxor, haxor, or hacker doesn't know anything about hacking in either the mainstream or subcultural contexts.

 

 

If it's tongue-in-cheek referencing movies like "Hackers" with "ZeroCool" then maybe  ;)

 

 

THAT MOVIE. oh my god... that movie...

Link to comment
Share on other sites

Keep your virus lab off your main network, physically. If you want to tinker you should have no path back to anything that is important.

Link to comment
Share on other sites

 I automatically assume that anyone using haxxor, haxor, or hacker doesn't know anything about hacking in either the mainstream or subcultural contexts.

 

Exactly where I was coming from.  "Haxor" conjures images of a kid creating a "Are you gay" winform where the "no" button moves on mouseover...

Link to comment
Share on other sites

Hello,

 

When I recorded these types of videos I use a dedicated PC and wipe the drive when done. 

 

You certainly should not be running malware inside a virtual machine, since a lot of malware behaves differently under them.  You certainly should not be using a PC you use for other activities.

 

You might want to start working on building out your malware research lab first before you begin recording your videos.  You can use any old PC as your "sacrificial goat" system:  Most malware runs fine on computers that meet the minimum system requirements for the targeted operating system(s).

 

Regards,

 

Aryeh Goretsky

  • Like 2
Link to comment
Share on other sites

Hello,

 

When I recorded these types of videos I use a dedicated PC and wipe the drive when done. 

 

So do you use dedicated external hardware to record your videos? Because I would highly recommend that to the OP...

The moment you plug in a flash drive to copy off the video, that flash drive is potentially compromised.

Link to comment
Share on other sites

So do you use dedicated external hardware to record your videos? Because I would highly recommend that to the OP...

The moment you plug in a flash drive to copy off the video, that flash drive is potentially compromised.

 

:laugh: In the case of the viruses he listed, the primary mode of infection was via USB thumb drives...

Link to comment
Share on other sites

Hello,

 

When I recorded these types of videos I use a dedicated PC and wipe the drive when done. 

 

You certainly should not be running malware inside a virtual machine, since a lot of malware behaves differently under them.  You certainly should not be using a PC you use for other activities.

 

You might want to start working on building out your malware research lab first before you begin recording your videos.  You can use any old PC as your "sacrificial goat" system:  Most malware runs fine on computers that meet the minimum system requirements for the targeted operating system(s).

 

Regards,

 

Aryeh Goretsky

 

I dont have any .doc, .docx, .png, .txt, etc files on my main PC, which CL targets. But my PC is in a wi-fi network...

Link to comment
Share on other sites

:laugh: In the case of the viruses he listed, the primary mode of infection was via USB thumb drives...

 

I know flame used to spread via windows update...

Link to comment
Share on other sites

So do you use dedicated external hardware to record your videos? Because I would highly recommend that to the OP...

The moment you plug in a flash drive to copy off the video, that flash drive is potentially compromised.

I do have an extra computer, but it's OS is messed up. Not by viruses, but by my mom closing it when it was installing. Anyone know how to fix this with a Win XP iso and a USB?

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.