Malware experts I have a question

I'm starting my first year of college next week. So I was thinking about making a vm and get a head start on analyzing samples. I have been contemplating my setup and have come to the conclusion since I'm now a poor college student that I can only use my one computer.

Now to my question, If I were to have a Dual boot system and have my Linux partition host a Windows XP VM. Is it theoretically possible for a sample to jump from the VM to my windows partition?

 

What VM are you planning on using in linux?

 

VirtualBox.

 

I'm no expert but I would have to say no. You are safer with running the virtual machine within Linux. Let me explain.
First off the malware would have to bypass the guest os and then have to run within Linux to be able to access the partition. IMO that would be a lot of work (if possible) for the author to implement! Second I don't even think you have write access (only read) to other partitions within Linux unless the other partition is FAT32. I use a the same setup for analyzing that you are thinking about and have never had a problem.

BTW: Good Luck in school!

Regards,
Cgeek

 

Theoretically? Yes.
Practically, near impossible.

Lets even assume you have ntfs-3g installed so that linux can read/write ntfs partitions. I'd recommend mounting the windows partition automatically as READ ONLY.

So, for malware to jump from VM to your windows partition, it would have to breach the VM from within XP, somehow assume kernel level privileges, unmount the windows partition, remount it read write, and then write to it. It would be very very very very difficult.

The chances of your laptop getting physically stolen are much much much much higher

 

If you are already concerned about this level of improbable security issues why do you not worry about Windows Guest->Linux host? That's thousand times more likely (1000 times 0 point something is still not much) and not _that_ hard to pull off.
Or even more likely is a bug in VBox itself (I know NIC drivers for example are a common problem for VMware Linux offerings) that compromises the host directly or enables local privilege escalation. Still pretty low risk and you'd need to run untrusted stuff on the host or connect to a hostile network.

I wouldn't worry about this at all, especially with run of the mill Windows malware. If your samples would come from targeted attacks against high profile targets that would maybe be a different story. Windows running virtualised on top of a Linux Server is pretty common today so it may start making sense explicitly targeting that.

 

Wait until you start college, there's a high chance you'll get a free msdn pass that allows you to download copies of Windows 7, VirtualPC, etc.