Network Settings for Malware analysis

This is for discussing general topics about how to use VirtualBox.
Post Reply
FiTi
Posts: 3
Joined: 1. Apr 2021, 14:47

Network Settings for Malware analysis

Post by FiTi »

Hello guys,
So I want to test some live malwares, including network worms, in my Windows virtual machine.
The problem I am facing is that I am not sure which network settings I should use.

Many of the guides I have stumbled on are telling me to turn of the network of the virtual machine, however there are some malwares that will need a working internet connection otherwise the malware will not work.
Is there a way to make it so my virtual machine can not communicate with other devices in my network, but at the same time have a internet connection?
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Network Settings for Malware analysis

Post by mpack »

NAT mode should do that for you.
FiTi
Posts: 3
Joined: 1. Apr 2021, 14:47

Re: Network Settings for Malware analysis

Post by FiTi »

mpack wrote:NAT mode should do that for you.
Thank you for your reply, however I am still struggling to understands how this works.
If I test a malware on my VM and I have the network settings on NAT, which means it has access to all my LAN devices, how is it going to prevent a network worm to infect every other computer it finds on my LAN network?

I can still see my ICMP traffic (vm to host) in WireShark, which means that any packet (including network worms) should be able to reach my host pc?
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Network Settings for Malware analysis

Post by scottgus1 »

How NAT works is shown here: Virtualbox Networks: In Pictures: NAT
NAT acts like a router, which does allow access via IP address to the LAN.

To completely block the LAN but allow internet, you'll need a router/firewall VM between your malware VM and the host. See Virtualbox Networks: In Pictures: "Sandbox"
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Network Settings for Malware analysis

Post by mpack »

scottgus1 wrote: NAT acts like a router, which does allow access via IP address to the LAN.
Are you sure about that?

The NAT network (not to be confused with the "NAT network" network) is separate from the host LAN, it has completely separate addressing. I don't see how it's possible to access host LAN devices if you can't address them.
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Network Settings for Malware analysis

Post by scottgus1 »

mpack wrote:Are you sure about that?
Fairly, though I may be overrating what I have seen.

Just to test again I spun up a Windows 7 VM set to NAT on my Windows 10 host. I got the typical 10.0.2.15 IP address in the VM. My host is at 192.168.0.116, and my file server is at 192.168.0.117.

Inside the VM I was able to ping both the 192.168.0.1 LAN router and my .116 host and .117 file server. Then in File Explorer I entered in the address bar \\192.168.0.116 and after entering credentials * got write access to the host's shared folders. Same worked for the file server at \\192.168.0.117.

I also tried a quick webserver on each computer and could get the web page in the VM by entering the computer's LAN IP address.

* The credentials part might be the official block to passing "virused" files, but I am not sure if WannaCry required credentials to be in place. NAT did not prevent the connection, though.
FiTi
Posts: 3
Joined: 1. Apr 2021, 14:47

Re: Network Settings for Malware analysis

Post by FiTi »

mpack wrote:
scottgus1 wrote: NAT acts like a router, which does allow access via IP address to the LAN.
Are you sure about that?

The NAT network (not to be confused with the "NAT network" network) is separate from the host LAN, it has completely separate addressing. I don't see how it's possible to access host LAN devices if you can't address them.

Yea, I am able to ping my phone and other devices from my VM.


@scottgus1 thanks for you answer.
JustinH
Posts: 106
Joined: 6. Aug 2015, 05:09

Re: Network Settings for Malware analysis

Post by JustinH »

scottgus1 wrote:
mpack wrote:Are you sure about that?
Fairly, though I may be overrating what I have seen.

Just to test again I spun up a Windows 7 VM set to NAT on my Windows 10 host. I got the typical 10.0.2.15 IP address in the VM. My host is at 192.168.0.116, and my file server is at 192.168.0.117.

Inside the VM I was able to ping both the 192.168.0.1 LAN router and my .116 host and .117 file server. Then in File Explorer I entered in the address bar \\192.168.0.116 and after entering credentials * got write access to the host's shared folders. Same worked for the file server at \\192.168.0.117.
Wowza! I didn't realize this. Does this mean computers on the LAN could talk to a NAT-ed VM? Or is it one way only?

Thanks for sharing!
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Network Settings for Malware analysis

Post by scottgus1 »

NAT acts like a router. The way I have seen things behave, the NAT-connected VM has full access to internet and the LAN. For all intents and purposes, the LAN is part of the VM's internet.

Internet and LAN can access the VM through opened ports. See the link above.
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Network Settings for Malware analysis

Post by mpack »

JustinH wrote: Wowza! I didn't realize this. Does this mean computers on the LAN could talk to a NAT-ed VM? Or is it one way only?
Apparantly the VM has access to a gateway that I was unaware of. That means that the VM will receive replies from locations (on the other side of the gateway) it has recently addressed. Unsolicited packets will be unroutable, so they won't reach the VM.
Post Reply