Playing with malware safely - Using a Virtual PC?

Discussion in 'sandboxing & virtualization' started by BrendanK., Apr 8, 2009.

Thread Status:
Not open for further replies.
  1. BrendanK.

    BrendanK. Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    520
    Location:
    Australia
    Well I always thought using a Virtual PC to test malware was safe, but apparently not?

    Some malware is able to some how attack a Virtual PC?

    How do I protect a Virtual PC from this, and how do I protect my own computer, so that I don't become infected from the Virtual PC?
     
  2. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
    There is malware that specifically attacks virtual systems, but it is rare and usually detected by good antivirus applications. That's why it is usually safer to run an AV, or some kind of antiexecutable within the virtual environment (all HIPS stop new processes from running at the discretion of the user). I also read that some malware detects the virtual environment and won't run in it.
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,048
    If you are going to do this you should use the best. I also play but I use the most current version of VMWare workstation. I also shadow all my host system disk drives with ShadowDefender, just in case.

    Pete
     
  4. thathagat

    thathagat Guest

  5. SourMilk

    SourMilk Registered Member

    Joined:
    Mar 31, 2006
    Posts:
    630
    Location:
    Hawaii
    If you ever get tired of the cat and mouse game of oneupsmanship between malware writers and detector cleaner writers (and now virtual jumpers) ALWAYS keep an offline image of a clean install. Other than destroying your hardware with a CMOS infection or sending copies of itself to all your contacts in your email directory while infected, a clean image will take care of most of your problems (at least it does for me.)

    SourMilk out
     
  6. jonyjoe81

    jonyjoe81 Registered Member

    Joined:
    May 1, 2007
    Posts:
    829
    All malware will attack a virtual pc. A virtual pc is just like a regular pc. I use returnil virtual system, whenever I need maximun protection and sometimes malware will attack the virtual pc but it has never attacked the real pc.

    While on the returnil virtual pc, I always have my firewall and antivirus running. Worst case scenario I also have a image backup of my hard drive just incase malware where to attack the real pc. Never encountered a worst case scenario yet.
     
  7. Dogbiscuit

    Dogbiscuit Guest

    Secunia has not issued any advisories for Microsoft Virtual PC 2007.

    Virtual PC 2004 had one advisory, released in August of 2007. The vulnerability required a local user in order to exploit it. The bug could cause a buffer overflow on the host OS that allowed a user with admin rights in the guest OS to execute arbitrary code on the host OS.

    If my understanding of this particular flaw is correct, had you downloaded a malicious file in the guest OS that exploited this vulnerabilty, and then executed the malicious file yourself (in the guest OS), you could have infected the host OS or other guest OS's. No such exploit code was known to exist, however, and running as a limited user under the guest OS (no admin privileges) would have stopped an attack, according to Microsoft.

    Since, according to Secunia, there have been no vulnerabilities reported for VPC 2007, it's safe to say that there is very little likelihood that malware can escape from it currently. There would have to be some publicly unknown vulnerability being exploited - it's not impossible, but unlikely.
     
    Last edited by a moderator: Apr 9, 2009
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,048
    Removed one off topic post. Linux is not relevant to this thread.

    Pete
     
  9. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Containment software such as OS virtualization, sandboxes, etc are not bulletproof. Eventually, malware will be able to break out of a virtual environment as easily as it can escape AV detection. Chances are there will be nothing to alert the user when that happens. You could potentially rootkit your host system and not be aware of it. Malware writers are also trying to infect the BIOS and other firmware. I'd expect to see them eventually succeed.

    Ideally, you should use a separate PC for testing malware, one with no personal info on it. The next best choice would be an image of separate host environment that's used in place of your regular OS, equipped with all the tools and virtualization you need. Make full backups of your regular OS and store it away from your test system. I use an Acronis image of a test system I built some time ago that's stored on an external hard drive. When I'm testing potentially malicious code, I use that OS image and the external hard drive is disconnected. When I'm done testing, I nuke the drive with D-Ban and restore an image of my standard OS from the external drive.
     
  10. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    I would not test malware on a production system. If you do opt for virtualization, it still should be used on a machine that contains no critical, personal data.
    Mrk
     
  11. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,434
    Location:
    Europe

    The same I do, but in my system always runs also an HIPS.
     
Loading...
Thread Status:
Not open for further replies.