4

I intend to start learning how to do malware analysis and forensics, but I have a concern or two.

I want to start by just analysing code that I write myself, and that'll be fine. But at some point I'm going to want to start analysing real malware.

As is normal, I'll be analysing within a Windows VM (on a Windows host), with something like INetSim hooked in and all that.

My concern, however, is around VM escapes. How concerned, or not, should I be about VM Escapes, if I keep my VMWare Workstation up-to-date? I've looked around the internet, but the general literature out there seems to be focused a lot on enterprise/cloud VM escapes in the sense of accessing other VMs on the same physical hardware. I'm not sure how much this could apply to a non-enterprise situation, where the concern is an attack on the host, rather than on different guests.

Is this one of those cases where the malware would need to be very specifically written to escape the VM, and if I'm doing proper research on the samples I intend to analyse then it shouldn't be a concern?

I guess the other question is that, beyond the obvious disabling external internet access (i.e. putting the VMs on host-only/internal networking) as soon as the samples are downloaded, are there any other sensible precautions I should be taking?

Thanks in advance

Makcheese
  • 143
  • 4
  • It should be safe as long as you're looking at old malware. Be aware that malware can also attack your traffic analyzer software from within the VM, so you won't want to run that on your host. – user Dec 09 '19 at 19:19
  • OK, thanks. Yeah it'll mostly be old malware. Any newer malware I analyse will be ones that have already been thoroughly analysed elsewhere so I know what it'll be trying to do. As for the analysis tooling, that'll all be running from within the VM so it should be fine in that regard. – Makcheese Dec 09 '19 at 19:25
  • The only other thing I could think of is simply deleting any VMs you run the malware on quickly, and documenting which ones you're running them on. You wouldn't want to accidentially re-use a VM that's infected with something for some other, non-malware purpose. – Steve Sether Dec 09 '19 at 19:50
  • That's a good point. I'll likely just revert the VM to a snapshot after analysis every time. – Makcheese Dec 09 '19 at 20:00

1 Answers1

1

TL;DR version: You should not be worried about VM-escaping malware if you do things right - the likelihood of that is pretty low.

Having said that, the internal networking scenario you described (common virtual between host and guest) is not sufficient to protect against VM escapes in the form of worms. Most host services would listen on any network interface, including the internal virtual interface that is common with your guest. This means that malware with worming capabilities looking to exploit vulnerabilities over the network (e.g. the good old WannaCry-wannabe's gunning for EternalBlue, the new kids with BlueKeep, etc.) executed on your guest may be able to reach your host via the shared network.

The answer is simple: isolate the two as much as possible, with no common network interfaces between the host and guest.

In my years of digging through harmful code, malware capable of escaping VMs has been extremely rare - threat actors are frequently staging their attacks, with multiple downloadable components, so they don't burn all of their tools early in the chain. VM escapes come really late in the game, when the threat actor has ascertained that they are not on a honeypot or a forensic station, they are certain they have not been detected, and then and there they would initiate a next-stage download.

Most of the time malware would run checks if they are in a "sandboxed" environment, e.g. it will check for Internet connection, presence of virtualization, and several other criteria (such as the presence of meaningful files in the user's profile) - these are usually the tell-tale signs that the code is executed in a sterile "forensics" environment, and the code will simply not run. So completely cutting the Internet may also not be feasible.

It's best that you do your experiments in a completely segregated environment, but that's not always feasible, especially for the novice - the investment may be substantial.

Hope this helps!

Milen
  • 1,148
  • 6
  • 12
  • Thank you very much for the insights! That's put my mind at ease a bit. I'll have a think about how to airgap the network interfaces between the guests and the host (I hear that virtualbox has an "internal network" that is different than its Host-Only networking implementation; maybe that will be useful?) – Makcheese Dec 09 '19 at 20:30
  • @Makcheese All of the popular virtualization hosts support internal/VM networks. – user Dec 09 '19 at 20:34
  • Ah, cool, I guess I just overlooked that functionality on VMWare ha – Makcheese Dec 09 '19 at 20:36
  • @Makcheese You'll probably need to set up a custom network adapter, and have a private "LAN segment" that only the VMs will use. – user Dec 09 '19 at 20:41
  • I see, thanks very much for the help! – Makcheese Dec 09 '19 at 20:48
  • I'd suggest using a simple USB stick to share files between the two, or setup a good host firewall with very restrictive rules on the virtual network interface facing the guest. In all cases, run nmap from the guest OS and see what is exposed. Always check and verify, never assume. And keep backups of your precious data! – Milen Dec 09 '19 at 21:18
  • will do! Thanks for the suggestions. – Makcheese Dec 09 '19 at 21:25
  • @Milen if I want to get a sample from the web onto the analysis VM; would it be best to open a NAT Network from the guest to download the sample, close the connection, and then run the malware from within the (now airgapped) guest? Or would it be more sensible to download it to a USB drive attached to my host, and then transfer it to the guest via that? – Makcheese Dec 09 '19 at 21:37
  • My suggestion is to always interact with malware from the confines of the segregated environment (guest OS/forensics station). It's really easy to make a mistake and press Enter or click on the wrong thing from your host! The NAT option is better, so I retract my USB advice - someone (e.g. a family member) may pick it up to transfer some family pics, and they may be exposed to nasty stuff without suspecting this is something dangerous. So NAT is the better option. – Milen Dec 09 '19 at 21:44
  • Yeah, that's what I was thinking; keep the malware as far as gosh darned possible away from the host :) Anyway, thanks for humouring my novice questions. Just want to be safe about this. – Makcheese Dec 09 '19 at 21:45