21

We want to study for the CEH program and have downloaded 12 DVDs that 6 DVDs are software key-loggers, Trojans, etc. that are all detected by antivirus. This prevents us from examining them and learning how they work.

I have instructed students not to uninstall antivirus as running these malicious files is not safe on its own. It might even spread on the network.

One of the students suggests to use Windows XP mode. Is this safe? I see these articles 1 and 2 here but the answers are contradictory and confuse us.

Are virtual machines safe for downloading and installing Trojans, key-loggers, etc.?

Is there another way to solve this problems, e.g. set up a lab, to show what happens to victims of the malware?

Z.T.
  • 7,768
  • 1
  • 20
  • 35
saber tabatabaee yazdi
  • 1,038
  • 5
  • 16
  • 26
  • 1
    Are these known forms of malware? I.e. do you know what kind of threat they pose (by using a virus encyclopedia) or may they perform unknown actions? Of course, it is never safe to make too many assumptions on their respective threats, but, for example, if you obtained them from an anti-virus company for scientific purposes their behaviour in virtual machines may be known to the extent where you can decide if it is too much of a risk to run them in a virtual machine. – Legolas Nov 02 '12 at 07:35

8 Answers8

32

Are virtual machines safe for this? The answer is the same as for a lot of questions of the form "Is X safe?": no, it's not absolutely safe.

As described elsewhere, bugs in the virtual machine or poor configuration can sometimes enable the malware to escape. So, at least in principle, sophisticated malware might potentially be able to detect that it's running in a VM and (if your VM has a vulnerability or a poor configuration) exploit the vulnerability or misconfiguration to escape from your VM.

Nonetheless, it's pretty good. Probably most malware that you run across in the field won't have special code to escape from a VM.

And running the malware in a VM is certainly a lot safer than installing it directly onto your everyday work machine!

Probably the biggest issue with analyzing malware samples in a VM is that some malware authors are starting to get smart and are writing their malware so that it can detect when it is run in a VM and shut down when running inside a VM. That means that you won't be able to analyze the malicious behavior, because it won't behave malicious when it's run inside a VM.

What alternatives are there? You could set up a sacrificial machine on a local machine, install the malware on there, then wipe it clean. Such a test network must be set up extremely carefully, to ensure that the malware can't propagate, can't spread to other machines of yours, and can't do any harm to others.

References:

D.W.
  • 98,420
  • 30
  • 267
  • 572
20

Using a virtual machine is a safer way to study malware than running it on a normal machine - the main reason being that you can wipe and start over from a known fresh image at any time.

Isolation is also key, though - if your virtual machines are connected to your network they will be able to spread malware just as if they were physical machines, so either isolate logically (within the host) or physically (disconnect from the network)

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
13

I've seen enough tangential information to believe that some viruses are capable these days of detecting that they are on a virtual machine and alter their behavior accordingly. The example I've heard is that the code will appear benign in the VM and then reactivate and infiltrate when not in a VM.

My recommendation whenever you want to test malware is to play in a cleanroom with disposable equipment. Don't trust the VM to be your barrier - run in a lab where any network you provide is entirely standalone, connected to nothing else. Be sure that any removable memory (USBs, etc) you use is one way only from the outside world in, and when you're done, wipe and reimage the computers you used for testing. Bring everything back to a known good state, don't try to clean up manually.

For the purpose of study, it would probably be quite a lot of fun to try the viruses on both a machine with a vM and a regular bare bones host. I'd probably throw some network monitoring on there, too, to see what the software tries to do over the network.

bethlakshmi
  • 11,606
  • 1
  • 27
  • 58
  • Agreed, we're seeing more and more cases of VM-aware malware. When they detect that they're being sandboxed in a VM, they deliberately withhold the payload under the assumption that it's being executed in a security researcher environment. – Ivan Mar 15 '17 at 23:49
9

I wouldn't try messing around with "XP mode" as a method of isolating malware. A virtual machine is your best bet. The guest OS will be isolated from the host system, so it'll install onto the VM and do its nasty stuff, and you can just revert it back to a clean snapshot when you're done.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
3

Why not run it in a container?

You can select a multitude of images, prepare the environment for a single malware by attaching monitoring tools/scripts targeting it specifically.

The level of security to protect your machine, that being physical or virtual will depend on the isolation you specify before hand for the container.

With containers that becomes even clearer as you have more visibility on what the malware is affecting since you can have n combinations of systems being spin up easily.

You might also want to analyse the behavior of such malware within a network. Simply isolate multiple containers with their own network within a network sandbox and ensure the latter is completely detached from your host machine.

For hardware isolation during such inspections you can use Pi's or any cheap hardware.

It really comes down to allowing the malware to behave like it would on a normal computer and isolating it completely from outside as others already pointed.

Alan
  • 131
  • 3
  • 1
    When this question wrote here container technologies like docker not available – saber tabatabaee yazdi Jul 12 '18 at 14:33
  • 2
    Indeed docker wasn't available, Linux containers on the other hand were 3 years old, yet on the hands of a few engineers so not being mentioned here is understandable, well pointed. :) – Alan Jul 12 '18 at 14:50
  • this question is for 5 years and 8 months ago. docker, hadn't a stable version 6 years ago? and vms are popular technology. i have question. is it possible to open sftp port and move data to docker? and when moving it to wordpress container then copy php malware files there to damage OS or mysql database infos? or any way to damage other containers? – saber tabatabaee yazdi Jul 12 '18 at 15:10
2

My way of testing malware is to install the following:

Host PC

  • Sandboxing Software (Such as Sandboxie)

  • Virtual Machine (Such as VirtualBox or VMware)

  • An Additional AV (Such As Avast, Or MalwareBytes)

Guest PC

  • Sandboxing Software

()

After you got all that, sandbox the virtual machine (On Host PC) and activate AV

Once you open your virtual machine, open any virus in the sandbox.

To Go The extra mile

You can install a VM inside a VM, and sandbox that, but note that it requires a very strong PC.

schroeder
  • 123,438
  • 55
  • 284
  • 319
2

I think we don't have to be more clever as really good professinals are. Mark Russinovich usually use virtual machines to analyze a code behaviour. Of course this doesn't mean that you don't have to be careful, isolate the virtual machine as far as possible (firewall settings and so on).

sh4d0w
  • 325
  • 1
  • 5
1

To add to the wonderful answers given by others, and to add my own experience to it-

No virtual machines are not 'safe' for your purpose, as has been already elaborated by @bethlakshmi.
I also do some kind of security-related experiments, and so I requested my authorities to give me a separate LAN which is disconnected from the rest of the network at my University.

What I ended up getting was a VLAN which is disconnected from the rest of our network- and I do all my experiments on virtual machines in that network (which, again, is not the best option - A simple search on this site will reveal to you that VLANs are not really a 'security' - see here). So your best bet seems to be to either have a network which is disconnected from the rest of your network, or simply not connect the VMs to a network and keep them isolated.

Adding to the comment by @Legolas -
And surely stay away from any stuff coming from/endorsed by the black hat community. For my context I can tell of one tool called Havij- not sure of things in your context. When you are dealing with malwares and stuff like that, you never what all it will do apart from what it claims to do!

pnp
  • 1,818
  • 2
  • 26
  • 42