Did you enable the Remote Display server as explained in Part 4? I know, you say that you’ve followed the tutorial, but just make sure that you’ve ticked that box.

Also, you may want to check your Windows Firewall settings (which may not allow RDP connections to a non-standard port or any RDP connections at all).

Hope this helps,
Manuel

I understand the impllications of using vms for observing malware and would consider myself prepared. And no I’m a malware tester not some skiddie user
I am considering making use of virtualbox’s internal networking for isolation instead of vlans, but to no avail (guest os doesn’t see the virtualbox internal Intel NIC) .
Since i’m not knowledgeable enough nor do i know if this is the anwser, I’ll just wait and see what you make of the test results first.

Ciao

Thank you for stopping by. I’m glad you found this tutorial helpful. To answer to one of your questions from the first post: I am not sure whether VLAN tagging would be of much help anyway; it has not been designed as a security measure and it is exposed to malware that propagates through VLAN hopping. VLANs seem to be trusted too much when it is about network security. Better think security in depth, rather than through segmentation.

I will take a closer look at your tests and what you are trying to achieve and then come back with a more comprehensive answer. The problem would be similar to a physical lab in the end, so the same defense principles apply, thus it is worth considering.

To put it right, with VMs you are at risk of ‘leaks’ anyway, as a principle. I.e. can you know for sure that some malware you are playing with doesn’t exploit a 0-day vulnerability in VirtualBox / VMware, and thus bypass the sandbox other way than through the network? Some worms can be really good at identifying whether they are running within a virtual machine, and thus look for exploits (for instance, the I/O ports used for communication with the host could be a target). Or they may render your testing redundant by deactivating themselves.

The days before Christmas are quite busy, and to a certain extent you are right – this blog is not my main concern right now – but I’ll get back to you within a couple of days.

Merry malware testing

http://i.imgur.com/9hNza.jpg

To make sure that the vm cannot communicate with the host I initiated ping tests, while temporarily disabling the firewalls on both systems as to not distort the results.

First Set of Tests:
xp vm has only (1) and also primary NIC set to use the WAN wirless interface in bridged mode.

-xp vm cannot ping Host
-Host can ping xp wm
-PF can ping host only on LAN – host ip also falls in a different range than when traffic was normal
-PF can ping xp vm on both the LAN and WAN <- which confuses me since I thought that the xpvm was supposed to be considered as only on the WAN side of PF since I didn't configure for it to use the loopback interface.

Second Set of Tests:
xp vm is set to use 2 NICs; The primary WAN which is bridged ot the wireless card and also the MS loopback for LAN as the second interface.

-xp vm CAN ping host
-host can ping xp vm
-PF can only ping host on LAN as case above
-PF still can ping xp vm on both LAN and WAN

– Can I correctly assume that the configuration described in the first test ensures that the vm cannot talk to my host by any means? What throws me off is that PF sees the guest OS appears to be responding from both sides of the firewall, while the guest's communication is only one sided as in the case of Test 1.

If you have no desire to explain this, please let me know. I've posted this question on various forums (including pfsense) and never got any feedback. Then I thought it would be best to ask you here, even though I thought that you stopped writing for a while. Since my comment appeared you appear to regularly check on your site so you've probably seen my question.

This seems very complicated and I'm about to give up.

How should I set up the adapters for the guest OS so that it cannot communicate to the host? I’ve asked other questions in this topic that I’m curious about and can’t seem to figure out: http://www.sandboxie.com/phpbb/viewtopic.php?t=12103

Its important for traffic to be separated because I tend to test malware in the guest OS and would need to ensure that there is no possibility for cross contamination through netwroking. Is the only way to accomlish this through VLANs? Does there have to be hardware support for VLAN tagging for this to work? Please post instructions on how I could go about doing this or even a tutorial would be very much appreciated.