Playing with malware safely - Using a Virtual PC?

Well I always thought using a Virtual PC to test malware was safe, but apparently not?

Some malware is able to some how attack a Virtual PC?

How do I protect a Virtual PC from this, and how do I protect my own computer, so that I don't become infected from the Virtual PC?

 

There is malware that specifically attacks virtual systems, but it is rare and usually detected by good antivirus applications. That's why it is usually safer to run an AV, or some kind of antiexecutable within the virtual environment (all HIPS stop new processes from running at the discretion of the user). I also read that some malware detects the virtual environment and won't run in it.

 

take a look at this thread.........https://www.wilderssecurity.com/showthread.php?t=224534
some nice suggestions here...........

 

If you ever get tired of the cat and mouse game of oneupsmanship between malware writers and detector cleaner writers (and now virtual jumpers) ALWAYS keep an offline image of a clean install. Other than destroying your hardware with a CMOS infection or sending copies of itself to all your contacts in your email directory while infected, a clean image will take care of most of your problems (at least it does for me.)

SourMilk out

 

All malware will attack a virtual pc. A virtual pc is just like a regular pc. I use returnil virtual system, whenever I need maximun protection and sometimes malware will attack the virtual pc but it has never attacked the real pc.

While on the returnil virtual pc, I always have my firewall and antivirus running. Worst case scenario I also have a image backup of my hard drive just incase malware where to attack the real pc. Never encountered a worst case scenario yet.

 

Secunia has not issued any advisories for Microsoft Virtual PC 2007.

Virtual PC 2004 had one advisory, released in August of 2007. The vulnerability required a local user in order to exploit it. The bug could cause a buffer overflow on the host OS that allowed a user with admin rights in the guest OS to execute arbitrary code on the host OS.

If my understanding of this particular flaw is correct, had you downloaded a malicious file in the guest OS that exploited this vulnerabilty, and then executed the malicious file yourself (in the guest OS), you could have infected the host OS or other guest OS's. No such exploit code was known to exist, however, and running as a limited user under the guest OS (no admin privileges) would have stopped an attack, according to Microsoft.

Since, according to Secunia, there have been no vulnerabilities reported for VPC 2007, it's safe to say that there is very little likelihood that malware can escape from it currently. There would have to be some publicly unknown vulnerability being exploited - it's not impossible, but unlikely.

 

Containment software such as OS virtualization, sandboxes, etc are not bulletproof. Eventually, malware will be able to break out of a virtual environment as easily as it can escape AV detection. Chances are there will be nothing to alert the user when that happens. You could potentially rootkit your host system and not be aware of it. Malware writers are also trying to infect the BIOS and other firmware. I'd expect to see them eventually succeed.

Ideally, you should use a separate PC for testing malware, one with no personal info on it. The next best choice would be an image of separate host environment that's used in place of your regular OS, equipped with all the tools and virtualization you need. Make full backups of your regular OS and store it away from your test system. I use an Acronis image of a test system I built some time ago that's stored on an external hard drive. When I'm testing potentially malicious code, I use that OS image and the external hard drive is disconnected. When I'm done testing, I nuke the drive with D-Ban and restore an image of my standard OS from the external drive.

 

I would not test malware on a production system. If you do opt for virtualization, it still should be used on a machine that contains no critical, personal data.
Mrk

 

The same I do, but in my system always runs also an HIPS.