Malware Detonation Use-Case

[obilodeau]

I'm trying to make it easier to execute malware not only debugging or reverse-engineering it.

The idea came from someone unfamiliar with malware that I saw install a malboxes VM and execute malware thinking it was safe. However, the default networking with NAT worries me. Malware could do a bunch of stuff network-wise that would be damaging and it can be unclear to the user.

[obilodeau]

Today I experimented with sealing the NAT and opening a vboxnet0 host-only adapter. Problem is we would need another VM (or complex layer-2/3 bridging setup) to act as a router.

One non-negligible advantage of such a setup is the ability to run wireshark from the host.

[ProtoDroidBot]

Apologies for my first comment ever on GitHub, still getting used to the commenting interface.

For this malware detonation use-case, I went with a hybrid of Cuckoo Sandbox and malboxes on Ubuntu 16.04. Network routing from the VM to host went through vboxnet0 which iptables helped to NAT out to the internet (eth0 / wlan0 to vboxnet0 or something similar). The main issue with this method is your rules on iptables would be removed on every reboot, unless you have the iptables-persistent package installed and configured.

Finally, I was looking at how to get IP Forwarding done on a Windows host machine with Malboxes. Some tutorials out there seem to point to a specific "router" registry key or a service though I don't think this is practical long term. Another practical solution is to have a dedicated Windows Server host acting as a sort of router and have malboxes on it to spin VM's up.

[obilodeau]

Right, I realize now that this issue relates to #112. Thanks @ProtoDroidBot for letting me know on gitter.