can virtual box fail while testing malware ?

Discussion in 'sandboxing & virtualization' started by thathagat, Nov 5, 2008.

Thread Status:
Not open for further replies.
  1. thathagat

    thathagat Guest

    hi....i recently set a vm via virtual box running xp pro...now i can't resist the temptation to test malware...but i am apprehensive....
    1. is there a probability/possibility of virtual box failing and a damage to my host pc?
    2.should a novice be undertaking such adventures?
    3.several rar archives are floating around the net containg malware samples but all point that real time protection of av has to be paused to effectively download...um mmm i kown this is puerile but is it advisable to do so.....
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,052
    To answer your questions. I don't use Virtual box, but use VMware's workstation.

    1. I alway's assume there is a possiblity. I protect myself, with a) an image of the system, and b) running ShadowDefender on the host machine.

    2) Depends. How comfortable are you with imaging and restoring your system. If not, I would say you shouldn't mess with this stuff.

    3) The answer to this points to number 2. Yes you will have to disable real time AV's. Otherwise they will block your efforts.

    I would say as a generality, the fact you had to ask these questions, in itself points, to maybe your leaving it alone.

    Pete
     
  3. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Only if there is a vulnerability in virtualbox and the virus knows how to expose it. According to Secunia, there aren't reported vulnerabilities in the 2.0.x versions.
     
  4. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    I'm only a novice and i do such things quite often. Just make sure you take all necessary precautions like backing up your system and important data. Hope for the best but prepare for the worst is my philosophy :).
     
  5. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    I agree with the above folks to prepare for failure worst case senario.IMO take practice runs of images recovery make sure they work before hand or better yet leave the malware alone.
     
  6. ola nordmann

    ola nordmann Registered Member

    Joined:
    May 6, 2007
    Posts:
    89
    There are still potential security problems one should deal with before purposely infecting a VM with malware, wheter it's virtualbox, vmware...

    One thing that comes to my mind is the network. The most secure thing would be to shut down the virtual network, but then some malware may not work because they download trojans etc. from the internet. The reason you should be careful with the network is that the malware can propagate to other machines (non-virtual) through the network, e.g. by taking advantage services with open ports, and maybe they even have remote vulnurabilities.

    So be sure that the network is as secure as possible, both on the host machine and on other computers available in the LAN. A firewall is probably useful, but on the host machine there is a problem: several firewalls seems to only filter physical network traffic, and not traffic on the virtual bridged NICs or NAT'ed network that the VM provides. So be sure to check this with a port scanner from the virtual machine!

    Another dangerous thing with VMs is all the host integration tools they provide. So if you're gonna test malware, you should probably enable as little as possible of this stuff , because they can make it easier for the VM to access info on the host, through shared folders, clipboard integration etc.
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,052

    Excellent points. I not only have a firewall on the host, I have one on my VM machine. I do disable all sharing on the vm machine, and likewise run ShadowDefender on the host. All other machines on my network also have their own firewalls.

    You do have to be very careful.

    Pete
     
  8. thathagat

    thathagat Guest

    hello.......i have a router with kis2009 on my host pc and use returnil while accessing vm should I have another FW on vm and maybe use sandboxie too...
     
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,052
    Not a bad idea, and if you have another machine on the network, you should have a firewall on it.

    Pete
     
  10. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    As has been stated,it's wise to run the host system virtualised using Returnil or similar,as an added protection,in the very unlikely event that a malware sample escapes Virtualbox.
     
  11. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    The only way to be truly safe when testing malware is to use a separate PC set up for this purpose, preferably one you don't value too much. It absolutely should not contain any important or personally identifiable data. Regarding the safety of relying on virtualbox or any other type of containment or virtualization software, the best that can be said is that they're safe at the moment. That doesn't mean they will stay that way. The more popular these types of software become, the more they'll be targeted. Eventually, someone will find a way to break out of them, they'll get patched, and the process will repeat.

    I don't know if you have anything specific in mind when you say "test malware". Be aware that some malware can detect when it's being run in a virtual environment or sandbox and will not reveal its true nature under those conditions. It's only when it detects that it's on a real system that it can infect that it will do what it was designed to. This is partly to make them difficult to capture and analyze and partly to infect those who test software on a virtual system before they install on their real system.

    Regarding:
    should a novice be undertaking such adventures?
    Are you a novice with malware or computers in general? Everyone who tests malware was a novice at it when they started. If you're a novice with computers in general, you're looking for trouble. Without a basic knowledge of how Windows works, how the internet works, basic security, etc, there's no way to do any meaningful testing.

    Regarding disabling or pausing the AV, an AV will interfere with malware testing. They're supposed to catch the malware and prevent it from running. Your statement regarding the AV leads me to believe that you don't understand the basics well enough to do any meaningful testing. That said, under the right conditions, testing malware can give you quite an education about the inner workings of Windows. I strongly suggest using a separate PC for this. A used one that meets the minimum requirements of the OS is all you really need. Pick up a backup program that can restore your system from an image and learn to use it first. Make a full backup of the OS while it's clean and complete. Make sure the image will restore properly. Don't connect this PC to any network with other PCs on it. Some malware will spread over a network and infect every PC that's vulnerable. Once you have a testbox built and isolated from other PCs, then you can launch any malware you want to on that PC for whatever kind of testing you want to do.
     
Loading...
Thread Status:
Not open for further replies.