VMware Communities
BillClark22
Contributor
Contributor
‎01-12-2013 09:43 PM

Guide for creating virtual sandbox for testing website-based infections

I have a staff member that appears to have had their PC affected with some type of keylogger.  I have the website address from an email that they think is what caused the issue.  I want to test this site (and others in the future) but want to do it as securely as I can.  I've been reading on creation of sandboxes using VMware workstation, but they all deal with existing files, how would I be able to maintain an internet connection in my virtual sandbox to test suspicious weblinks?  I would like to be able to create a virtual machine running XP or Windows 7, have it be able to have webaccess, but prevent any leakage to the host system.  Is this possible?  Thanks.

Bill

0 Kudos
4 Replies
WoodyZ
Immortal
Immortal
‎01-12-2013 09:58 PM

This has been covered before so a search of the forums or Google is in order.

If one needs to ask how to play with fire without getting burnt, it's  probably best if one doesn't play with fire to begin with! Smiley Wink

0 Kudos
BillClark22
Contributor
Contributor
‎01-12-2013 10:03 PM

WoodyZ:  You know, I have researched this and seen it has been covered  in varying degrees but not completely or in the method i need.  So if you are just going to troll forums and post your snarky replies, don't waste my time.  I have almost 20 years of IT experience so I DO know what I'm messing with, but don't know everything, hence the posting of a SUPPORT FORUM.  So again, quit trolling unless you are going to actually offer help.

0 Kudos
WoodyZ
Immortal
Immortal
‎01-12-2013 10:46 PM

First of all this is not VMware Support nor a "Support Forum" it's a Discussion Forum hence the Start a Discussion button and not a Create a Support Request button/link.  Secondly I didn't mean my comment to be snarky but cautionary and I can't help if you chose to take it any other way!   That said I have yet to see any one post or discussion, document and or guide that covers all aspects of properly hardening a system, physical or virtual, and you'll need to glean the total picture from multiple sources just like with any other complex subject/topic.  Then if you choose you can put together a more comprehensive guide to share and since you have "almost 20 years of IT experience" it shouldn't be to difficult to do.

Hardening a Virtual Machine is basically no different the hardening a Physical Machine so act according and also uninstall VMware Tools in the Guest OS (or don't install them in the first place if creating a new VM).

FWIW I use a separate physical system on a separate LAN Subnet that cannot communicate with the rest of my network and run Live OSes from a CD/DVD and USB Thumb-drive for storage to do this sort of testing however I do at times use a VM but the same applies, isolate the IP Address and have no other connectivity, in other words the Host's NIC is set for VMware Bridge Protocol only so the Host isn't connected to the LAN by a Host IP Address, etc.  But all of this is covered in the many forum posts and on Google so really nothing new here then what I've already read before.

0 Kudos
Bernd_Nowak
Hot Shot
Hot Shot
‎01-13-2013 03:59 AM

Woody, your answer might help him because I would suspect that the only real safe way is a physical machine with live CD/DVD. Can't see why it's important to try to "decode" the malware but anyway. I would setup a physical machine with Linux live cd/dvd and do use something to see what a site tries to load. But while you can maybe see some Java or Flash stuff, most of the time it's not that easy to see the real code because it's encapsulted.

This is the reason most AV solutions can't detect it anymore. Times have changed greatly.

A VM (vendor independant) can be detected. BIOS and graphic card is a good way to see this. And it may exist code to bypass the VM restrictions. That's why I would prefer a seperate physic host.

0 Kudos