Is it safe to install malware in virtual machines? I would like to investigate malware, but I don't want to infect my own computer.
Can I install the malware in a VMWare VM, maybe even without network access, without risking the integrity of my host system?
There is no simple answer to this question. VM software is still software and has vulnerabilities that can be targeted and thus, in theory at least, exploited to do more harm.
Running an infected VM with access to your network also opens up potential attack vectors.
Another interesting point to consider is that sufficiently advanced malware could be VM-aware and modify it's behavior when it detects that it's running inside a VM, masking the actual harm-causing capabilites.
I have not yet seen any in-the-wild malware that was designed to infect a host machine from within a VM. I expect that most malware simply wouldn't care whether it is running on the bare hardware or within a VM since it can achieve its goals equally well in both cases. It's probably safe to assume that malware won't escape a VM simply because it has no incentive to do so.
There are tools designed for containing and analysing malware and lots of information available on how to do this. Also a couple of papers with techniques and tools.
Yes, if you strictly bond yourself to some (absolutely sane) security rules:
Use a completely different operating system for the host and for the guest. For example, malwares which will infect your Windows guest are unlikely to infect or even attack your Linux host.
Do not use similar operating systems on your network than the guest. Again, your Windows guest could be infected, but an OpenBSD is highly unlikely to be attacked by any malware.
Use common sense. The goal of the virtualized system should be entirely to be infected. Do not use the infected system, for example, to your online banking operations.
Know your limits. This is extremely important. Whenever it is suspicious that other malware appeared on your system than the specific malware under investigation, immediately finish your experiment, and start over.
The first two points of the list will - certainly - almost guarantee that a security flaw in your virtualization system wouldn't harm your other machines.
The only possible way might be exploiting a bug within the VM software because everything the VM does is catching events like I/O and hand it over to the host machine. If your vendor didn't take care about bufferoverflows here and there, you probably could execute hazardous code on the host machine. BUT! I'm actually not 100% sure.
If you are working on linux like ubuntu or debian there is a great sandbox named limon sandbox.The paper can be found here https://www.blackhat.com/docs/eu-15/materials/eu-15-KA-Automating-Linux-Malware-Analysis-Using-Limon-Sandbox-wp.pdf and if you want a good explanation for installation then please follow here http://malware-unplugged.blogspot.in/2015/11/setting-up-limon-sandbox-for-analyzing.html
I just want to add an information to make you more be careful of this issue than other answers (without diminishing their value) outlined.
A researcher said:
Companies and administrators tend to trust that breaking out of a VM is not possible. A lot of people consider this to be just another proof-of-concept. They don't understand that is a commercially available exploit.
The subject is so serious that commercial tools such as this one have already been developed in the past for this purpose.
