0

I am planning on analysing some malware samples dynamically using a sandbox tool and a target Windows VM. The host (physical machine) runs Ubuntu and in it are the sandbox and target VM.

So far I only analysed benign samples, i.e. normal software. I store the samples in the Ubuntu host and use the sandbox tool to inject them into the Windows VM. The sandbox then runs the sample and monitors the VM then generates a report containing API calls and other information.

Now that I tested the setup and feel ready to analyse real malware I noticed a potential security flaw in my setup. Assuming the VM and sandbox tools are secure, how do I store the malware before analysing it?

I first though of simply extracting the malware into a folder in my Ubuntu host and running the sandbox tool just like I do with the benign software. However, this computer is connected to the rest of the network. Is this even a security concern?

Here is a somewhat related question: Is it secure to keep malware in filesystem of VMs?

Marcus
  • 1,145
  • 1
  • 8
  • 12
  • 1
    removeable USB drive – schroeder Feb 22 '22 at 13:24
  • @schroeder you mean I should put all my malware samples on an external disk and that would make my system safe? How is that different? – Marcus Feb 22 '22 at 13:26
  • 1
    Your stated concern is that it is connected to the network. If you store on the removable drive, and remove it when not in use, then the risk of it being exposed to the network is low. Malware isn't a threat until it runs. You are running it in a sandbox, so you want to reduce the likelihood of it getting run without your knowledge. – schroeder Feb 22 '22 at 14:02
  • 3
    My immediate first instinct would be "in a labelled glass jar", but a removable USB drive with an unmistakable warning that it contains malware is the best equivalent. –  Feb 22 '22 at 15:02
  • 2
    It is generally best practice to compress the samples within a password-protected archive. You should also consider changing the file extension to further prevent the accidental detonation of malicious Win binaries. An industry-accepted standard would be to use the password "infected" and the extension ".mal_" – Simpleton Feb 23 '22 at 07:08
  • 1
    I disagree with the strategy of storing on a USB drive. The auto execution functions on inserting the drive on the host can result in accidental execution of the malware(s). I would go with a regular chroot-ed file system store. – sandyp Apr 18 '22 at 18:06

1 Answers1

-1

As long as the host is not capable of executing the malware you should be fine storing the samples on the host disk. Make sure that you don't have something like Wine or Crossover running on the Ubuntu host otherwise it might be possible to accidentally execute the malware. Chances are that the payload would fail, but the risk is still there. Moving the malware samples to an external drive and only inserting it while you are analyzing the samples would mean that you are lowering the likelihood of accidental execution.

tl;dr: If you are only using the host for malware analysis I would keep it on disk. If you are using it for other things as well, keep them on an external drive and only insert it while you are interacting with the malware.

fuzboxz
  • 1
  • 1