1

I'm planning on doing some malware research for a research project, and I was wondering what would be a better option for keeping my system safe from viruses accidentally infecting it. I'm only planning on analyzing the binaries, not running them, but an errant click could happen. Should I be trying to do this analysis in a VM? Should I use a Live CD/Live USB boot (with some sort of forensic OS like Kali)? I know some viruses can break out of VMs, so would that make the Live CD approach be better? Or are there other things I'm not considering that makes the VM approach better?

John Montgomery
  • 163
  • 1
  • 6
  • 1
    As long as you will do analyz binaries, both options would work. Live or VM. If you were to run them in a safe env. then neither would work because nowadays malwares tend to act differently on VM's and Live's than they do on the actuall device. Sometimes they don't run, and sometimes they run "differently", which makes you think oh these malwares are not so bad, but when you run them on primary OS, BOOM! – cengizUzun Feb 18 '14 at 08:27
  • Related thread: [Is it safe to install malware in a VM](http://security.stackexchange.com/q/12546/32746). – WhiteWinterWolf Dec 30 '15 at 10:26

3 Answers3

2

The main two things that come to mind are the threats that can compromise you when using them. In both cases, the threats are fairly rare.

For a VM, the main threat to your system is a virus that is able to exploit the hypervisor. Such a virus would be able to escape the VM and infect your system. VMs also have the benefit of being able to do a closer comparison to the state change caused by the virus to determine exactly what it does.

For a live CD, such a virus would be a hardware resident virus that is able to corrupt the hardware in such a way that it survives a reboot to your normal environment and is then able to spread.

Both are pretty unlikely to be problems from all but the best attackers, however, a hardware resident virus is a far bigger (if much rarer) threat than any software virus since it would be basically impossible to remove. Because of this, I would personally lean towards VMs, however the most truly paranoid individual could use a VM running off a live CD.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
  • I don't know AJ Henderson's plan for using "a VM running off a live CD". But I am rather paranoid ;) One can install VirtualBox on Debian, add Crunchbang VM, and then use bootcd to create a LiveCD. With enough RAM, that will boot in a diskless machine. – mirimir Feb 18 '14 at 06:18
2

I was wondering what would be a better option for keeping my system safe from viruses accidentally infecting it. I'm only planning on analyzing the binaries, not running them

To summarize the simple answer: Get a hex editor or whatever other tools you plan to use on an ARM-based NON-Windows smartphone or tablet to analyze Windows x86 binary malware.

The more complex options:

  • Look at the application (malware) you don't want to run on a processor that doesn't use the same machine code in the first place; i.e. look at an ARM or Power executable on a PC, look at an x86 or x64 virus on a Power or ARM chip, look at anything at all printed out on paper.

    • Watch out for cross-platform applications (malware) like Javascript, Java, Flash, and the like.

  • As John Deters said, (also) use an OS they don't run on.

    • Again, watch out for cross-platform applications (malware) like Javascript, Java, Flash, and the like.

  • Don't have any devices they can infect, i.e. have the virus on one read-only CD-ROM, and boot from a LiveCD on a machine with two x-ROM drives, one for the OS and one for the malware, or use a LiveCD on an x-ROM that can be removed easily afterwards (perhaps Puppy Linux or Parted Magic; Kali likely works too)

    • AFTER removing all floppies, hard drives, USB sticks, external drives, x-RW's, etc. etc. from the machine.
    • AFTER making sure that both the LiveCD and the x-ROM are 100% full, particularly in the case of Puppy Linux
    • AFTER doing your best to ensure that the malware you're using cannot infect BIOS at all (or at least not on the system you're using it on.

  • Alternately, if you're really really paranoid and have even a small budget (or friends who upgrade), use a used 100% throwaway machine (preferably from cast-off, ancient, useless parts), remove or destroy all the networking capabilities, and use x-ROM's to perform one-way transfers (except for printing on a throwaway printer). Write malware and investigation tools to x-ROM's, load them in the throwaway machine,

    • Shred the x-ROM's after loading
    • You are allowed to print output. Nothing but paper, light, and scraps comes from that setup machine ever again.
    • Use a sledgehammer on the hard drive(s) after you're done.
    • Triple-bag it in Ziplock bags with a layer of cheap towel in there; you want to watch out for glass shards.
    • Use the sledgehammer on the motherboard's BIOS after you're done.
    • If you're truly paranoid, sledgehammer the printer after you're done, too!
    • Dispose of it all after you're done.
    • Enjoy the fruits of your research and the bliss of hammering an infected machine into scrap!

Essentially, the paranoid goal is to prevent infection and to prevent spreading the infection you assume you got despite preventing it.

Anti-weakpasswords
  • 9,785
  • 2
  • 23
  • 51
1

You can analyze them in an incompatible OS. Nothing says you have to study a Windows virus on a Windows machine. This keeps the risk of accidental infection of your test environment lower.

I've tested some malware in a virtual machine with no ill effects, but my experience is limited to some not-very-aggressive code. I suppose it's possible that you could make a mistake and infect your host. Code intended to attack a specific USB device could break the boundaries, too.

A LiveCD is also a good choice. Configure it to be write-locked so it won't mount writeable media unless you explicitly tell it to.

John Deters
  • 33,650
  • 3
  • 57
  • 110