Can any of the viruses spread via NAT network in VMWare?

By CryptoHAX0R
in Smart Home, Network & Security

 Share

Recommended Posts

Rookie

CryptoHAX0R

Posted
Posted

I am planning on making videos on these 3 viruses on 3 different vm's. The VMs will be set to NAT, is that safe?

 

 

These are the viruses:

 - Cryptolocker

 - Stuxnet

 - Flame

 

So will these viruses spread to my main computer via NAT(I have norton internet security installed), or will they stay in the VM?

 

Grand Master

Dot Matrix

Posted
Posted

Well, to answer your question, no. But if you had to ask, should you be doing this in the first place?

  • +Nik Louch, Rohdekill and The Evil Overlord
  • Like 3
Grand Master

xendrome

Posted
Posted
  On 29/12/2013 at 23:46, CryptoHAX0R said:

I am planning on making videos on these 3 viruses on 3 different vm's. The VMs will be set to NAT, is that safe?

 

 

These are the viruses:

 - Cryptolocker

 - Stuxnet

 - Flame

 

So will these viruses spread to my main computer via NAT(I have norton internet security installed), or will they stay in the VM?

 

 

Yes, I wouldn't chance it personally I would isolate them totally and not install a Virtual NIC.

Rookie

CryptoHAX0R

Posted
  • Author
Posted
  On 29/12/2013 at 23:55, Dot Matrix said:

Well, to answer your question, no. But if you had to ask, should you be doing this in the first place?

 

There are some reasons I'm doing this:

 

1 - Fun.

2 - To teach people how to avoid them

Mentor

snaphat (Myles Landwehr) Member

Posted
  • Member
Posted
  On 30/12/2013 at 00:00, CryptoHAX0R said:

There are some reasons I'm doing this:

 

1 - Fun.

2 - To teach people how to avoid them

 

If you are unsure of their attack vectors, how you are teaching people to avoid them :laugh:

Mentor

snaphat (Myles Landwehr) Member

Posted
  • Member
Posted
  On 30/12/2013 at 00:14, CryptoHAX0R said:

I know there attacks

 

You just asked if the malware can spread to computers within the same network so if you were familiar with the attack vectors of each of those pieces of malware then why would you be asking about this?

 

The point is, if you aren't familiar with how the malware spreads then it is going to be difficult to teach people to avoid the malware or avoid spreading it yourself --> read as: you probably shouldn't be installing the malware.

  • DConnell and Albert
  • Like 2
Grand Master

Dot Matrix

Posted
Posted

Well, just put it this way, a strict NAT connection isn't going to give the client access to the host, however you need to make sure there is no connection from the client to the host (shared folders, drives, etc). If you network both client and host, then all bets are off. 

 

But I agree with what others are saying. If you're not sure as to what will happen, then you might want to reconsider. You can't really teach people about this stuff if you're not even sure. 

Mentor

snaphat (Myles Landwehr) Member

Posted
  • Member
Posted
  On 30/12/2013 at 00:49, CryptoHAX0R said:

Is cryptolocker safe to test without shared folder, with NAT, etc. I just haven't heard about Flame or S.net spreading via networks

 

Information stating that Flame or stuxnet can spread over a network is readily available via a cursory search of the Internet/Wikipedia. No one here is a malware expert (except maybe the guy who works for ESET), we all just googled and looked before posting. You'd be able to find the same information yourself if you searched before asking. For example, that Cryptolocker isn't a virus, but that you shouldn't be using NAT, sharing folders, or having it on your network because it can and will encrypt anything it has access to...

 

See: http://nakedsecurity.sophos.com/2013/10/18/cryptolocker-ransomware-see-how-it-works-learn-about-prevention-cleanup-and-recovery/

Rookie

CryptoHAX0R

Posted
  • Author
Posted
  On 30/12/2013 at 01:24, snaphat (Myles Landwehr) said:

Information stating that Flame or stuxnet can spread over a network is readily available via a cursory search of the Internet/Wikipedia. No one here is a malware expert (except maybe the guy who works for ESET), we all just googled and looked before posting. You'd be able to find the same information yourself if you searched before asking. For example, that Cryptolocker isn't a virus, but that you shouldn't be using NAT, sharing folders, or having it on your network because it can and will encrypt anything it has access to...

 

See: http://nakedsecurity.sophos.com/2013/10/18/cryptolocker-ransomware-see-how-it-works-learn-about-prevention-cleanup-and-recovery/

Whats the safest options for VMware/Virtualbox for Cryptolocker testing?

Grand Master

+Nik Louch Subscriber²

Posted
  • Subscriber²
Posted

I would just say to be careful.  You have shown that you aren't fully informed, and so I worry that any video you made would also be missing some info - and I think sometimes believing you are safe without actually being safe is dangerous!

 

Secondly, just a thought - is anyone going to take security advice from someone with the word "HAXOR" in their name?

  • snaphat (Myles Landwehr) and Albert
  • Like 2
Mentor

snaphat (Myles Landwehr) Member

Posted
  • Member
Posted
  On 30/12/2013 at 01:31, CryptoHAX0R said:

Whats the safest options for VMware/Virtualbox for Cryptolocker testing?

 

As with any malware: having networking completely disabled and not having any shared folders between the systems.

Grand Master

+theblazingangel MVC

Posted
  • MVC
Posted

This post I recently wrote gives a thorough overview of the different network configuration options for VMs, specifically VMware and discusses potential threats from a point of view of whether or not it is a good idea to install software patches in them (original question in thread).

With NAT mode, malware (or an actual attacker who's gained access) will absolutely be able to reach out and communicate with other computers and thus spread if it has the capability to do so. The list of targets that it could potentially communicate with and attack includes all other VMs up and running in NAT mode (NAT offers no protection for the VMs within the virtual LAN), all VMs running in bridged mode, your host OS, anything accessible on your physical LAN, and any publicly accessible host out on the internet. Whether or not those hosts will get infected depends on the malware having the capability to distribute itself, whether the architecture is compatible for exploitation by that malware, configuration, whether particular patches are installed or missing and what security products may get it the way.

Your NIS package I would expect should hopefully be guarding your system from attacks incoming via not just the physical adapter, but the virtual adapters also, so your host OS should be relatively safe in some respects. Other systems listed above might be vulnerable though. It would be wise to isolate the VM from all networks when playing with malware.

  On 30/12/2013 at 00:33, Dot Matrix said:

Well, just put it this way, a strict NAT connection isn't going to give the client access to the host, however you need to make sure there is no connection from the client to the host (shared folders, drives, etc). If you network both client and host, then all bets are off.

But I agree with what others are saying. If you're not sure as to what will happen, then you might want to reconsider. You can't really teach people about this stuff if you're not even sure.

What? The NAT option for the VM isn't going to do anything at all to stop the guest OS reaching out and communicating with other systems / the host OS.

Also, note that as I explained in the post I linked to, with a VM in NAT mode there are multiple paths between the guest OS and another host. There's a direct connection with all other NAT based guest OSs via the virtual LAN; There's a direct connection to the host OS via the virtual LAN (VMnet8 virtual adapter in host OS), and there's the virtual NAT service through which anything out on the physical LAN (including the host OS) or the internet can be reached. All of this is covered in the post I linked to above.

 

  On 30/12/2013 at 01:31, CryptoHAX0R said:

Whats the safest options for VMware/Virtualbox for Cryptolocker testing?

To completely isolate the VM of course. Either remove any network adapters from the VM or at least tick the option to have it disabled on start, and make sure that there are no shares or anything setup to the host OS. Understand that if there is a vulnerability in the VM software itself, this could potentially result in your host OS getting compromised by a piece of malware that exploits such a vulnerability regardless of this.

Rookie

CryptoHAX0R

Posted
  • Author
Posted
  On 30/12/2013 at 01:32, Nik L said:

I would just say to be careful.  You have shown that you aren't fully informed, and so I worry that any video you made would also be missing some info - and I think sometimes believing you are safe without actually being safe is dangerous!

 

Secondly, just a thought - is anyone going to take security advice from someone with the word "HAXOR" in their name?

Its just a cool username :P

Mentor

snaphat (Myles Landwehr) Member

Posted
  • Member
Posted
  On 30/12/2013 at 01:46, CryptoHAX0R said:

Its just a cool username :p

 

off topic, but I do think everyone here is probably rolling their eyes at it. I automatically assume that anyone using haxxor, haxor, or hacker doesn't know anything about hacking in either the mainstream or subcultural contexts.

 

 
  On 30/12/2013 at 01:48, Nik L said:

If it's tongue-in-cheek referencing movies like "Hackers" with "ZeroCool" then maybe  ;)

 

 

THAT MOVIE. oh my god... that movie...

Grand Master

+Nik Louch Subscriber²

Posted
  • Subscriber²
Posted
  Quote
 I automatically assume that anyone using haxxor, haxor, or hacker doesn't know anything about hacking in either the mainstream or subcultural contexts.

 

Exactly where I was coming from.  "Haxor" conjures images of a kid creating a "Are you gay" winform where the "no" button moves on mouseover...

Grand Master

goretsky Supervisor

Posted
  • Supervisor
Posted

Hello,

 

When I recorded these types of videos I use a dedicated PC and wipe the drive when done. 

 

You certainly should not be running malware inside a virtual machine, since a lot of malware behaves differently under them.  You certainly should not be using a PC you use for other activities.

 

You might want to start working on building out your malware research lab first before you begin recording your videos.  You can use any old PC as your "sacrificial goat" system:  Most malware runs fine on computers that meet the minimum system requirements for the targeted operating system(s).

 

Regards,

 

Aryeh Goretsky

  • +Nik Louch and Ambroos
  • Like 2
Veteran

rfirth

Posted
Posted
  On 30/12/2013 at 05:52, goretsky said:

Hello,

 

When I recorded these types of videos I use a dedicated PC and wipe the drive when done. 

 

So do you use dedicated external hardware to record your videos? Because I would highly recommend that to the OP...

The moment you plug in a flash drive to copy off the video, that flash drive is potentially compromised.

Mentor

snaphat (Myles Landwehr) Member

Posted
  • Member
Posted
  On 30/12/2013 at 06:26, rfirth said:

So do you use dedicated external hardware to record your videos? Because I would highly recommend that to the OP...

The moment you plug in a flash drive to copy off the video, that flash drive is potentially compromised.

 

:laugh: In the case of the viruses he listed, the primary mode of infection was via USB thumb drives...

Rookie

CryptoHAX0R

Posted
  • Author
Posted
  On 30/12/2013 at 05:52, goretsky said:

Hello,

 

When I recorded these types of videos I use a dedicated PC and wipe the drive when done. 

 

You certainly should not be running malware inside a virtual machine, since a lot of malware behaves differently under them.  You certainly should not be using a PC you use for other activities.

 

You might want to start working on building out your malware research lab first before you begin recording your videos.  You can use any old PC as your "sacrificial goat" system:  Most malware runs fine on computers that meet the minimum system requirements for the targeted operating system(s).

 

Regards,

 

Aryeh Goretsky

 

I dont have any .doc, .docx, .png, .txt, etc files on my main PC, which CL targets. But my PC is in a wi-fi network...

Rookie

CryptoHAX0R

Posted
  • Author
Posted
  On 30/12/2013 at 07:31, snaphat (Myles Landwehr) said:

:laugh: In the case of the viruses he listed, the primary mode of infection was via USB thumb drives...

 

I know flame used to spread via windows update...

Rookie

CryptoHAX0R

Posted
  • Author
Posted
  On 30/12/2013 at 06:26, rfirth said:

So do you use dedicated external hardware to record your videos? Because I would highly recommend that to the OP...

The moment you plug in a flash drive to copy off the video, that flash drive is potentially compromised.

I do have an extra computer, but it's OS is messed up. Not by viruses, but by my mom closing it when it was installing. Anyone know how to fix this with a Win XP iso and a USB?

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.