Studying Malware in a Virtual Machine - Dangers, Precautions

Discussion in 'sandboxing & virtualization' started by sbwhiteman, Mar 12, 2011.

Thread Status:
Not open for further replies.
  1. sbwhiteman

    sbwhiteman Registered Member

    Joined:
    Jul 20, 2009
    Posts:
    63
    Not sure if this is the proper place to post this -- please move if not.

    I would like to learn more about blocking and/or cleaning malware. I see that many use virtual machines for this purpose.

    I run VirtualBox, using XP guests on a Windows 7 host. The host is a laptop connected wirelessly to a home router. An XP desktop and sometimes a Win7 netbook are also connected to the router.

    Is there any danger of the host computer or any of the other computers becoming infected from an infected VirtualBox guest machine? Are there additional precautions to take?

    Thanks in advance for your advice.
     
  2. CogitoTesting

    CogitoTesting Registered Member

    Joined:
    Jul 4, 2009
    Posts:
    901
    Location:
    Sea of Tranquility, Luna
    I do all my tests from a Linux host with a virtual Windows 7. With respect to precaution I can tell you that I never created any share drive nor folder between the host and the virtual system.

    The only advice I can give is to protect your host as much as you can with a good all-around security system, encrypt your sensitive data, and do not share anything. Once testing begins do not copy, cut and paste anything between host and virtual system.

    Thanks.
     
  3. sbwhiteman

    sbwhiteman Registered Member

    Joined:
    Jul 20, 2009
    Posts:
    63
    Thanks for your thoughts, Cogito. Anyone else?

    Cogito, what would be your concern with a shared folder between the host and guest? Just that a malware file might be copied there? Or something more insidious?
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I just use a Linux host to test windows malware in Win 7 as guest OS in VMware, latest version.
     
  5. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    If you're just learning, it would be good to use Sandboxie with Buster Sandbox Analyzer inside your VM.
    First learn how to Configure Sandboxie from here.
    The default config of SBIE allows writes to disk, some malwares may escape.

    Malware Domain List has a lot of fresh samples, Clean-mx works very hard there.
    When starting out, look for samples with lots of detections from VT, like 20/42 or 25/42.
    Easy to detect means easier to learn about the infection.

    Once you have an idea what the malware is doing there are lots of other tools to run to see it running in the VM without SBIE and BSA.
    ARK's like GMER or Kernel Detective or XueTR, Process checkers like Process Explorer or Process Hacker, Process Monitor, Wireshark, Capsa.

    This is the approach I am taking while I am learning more about malware, HTHY.
     
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  7. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    I think shared folders are safe if you make guests have read-only access.

    Nothing has transferred over to host machine without user permission yet, but better be safe than sorry.
     
  8. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
    I use sandboxie w/ buster, running under shadowdefender. Haven't had anything slip through yet.
     
  9. sbwhiteman

    sbwhiteman Registered Member

    Joined:
    Jul 20, 2009
    Posts:
    63
    Thanks to all for your advice.

    MrBrian, those links are eye-opening -- they make me re-think the whole idea. Can't say I understand networking well enough to determine the network relationship between the guest and the host. And turning off shared folders and Guest Additions would make the whole process fairly painful. And even then it sounds like I'd be unsafe. Hmmm...
     
  10. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Most malware is not virtualization-aware or sandbox-aware. However, I have personally seen malware that breaks out of Sandboxie and VMware, and can destroy an entire drive in seconds. So beware, it certainly is possible.
     
  11. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
    Which malware are you referring? Do you mean a default 64 bit sandboxie? There aren't many malware that can bypass a hardened sandbox in 32 bit.
     
  12. sbwhiteman

    sbwhiteman Registered Member

    Joined:
    Jul 20, 2009
    Posts:
    63
    SteveTX: Any suggestions? Or should I give up on the idea as too dangerous?
     
  13. cgeek

    cgeek Registered Member

    Joined:
    Mar 31, 2010
    Posts:
    328
    For analyzing samples and testing products I use a separate linux box running VmWare same as aigle. It is also on a separate subnet on the network. I have been using this setup for awhile and haven't yet had a problem.
     
  14. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    specialized proof of concept malware designed to break out of virtualized and sandbox environments. 32/64 makes no difference, hardened or otherwise makes no difference.

    the malware is possible because it relies on the false sense of security coupled with the suggestion that it is safe to engage in unsafe behaviors due to the protection claimed by the sandbox. sandboxie is moderately strong, but if it comes up against smarter or stronger malware, it severely fails.

    in this particular case, trying to use a virtualized environment to study malware is only acceptable if it is on hardware that you don't care about and the host OS has no sensitive data or functions.
     
  15. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    could you provide us with the names of the malwares in question so we can test for ourselves or are those just theoretical exploits?
     
  16. monkeybutt

    monkeybutt Registered Member

    Joined:
    May 18, 2009
    Posts:
    126
    I am reading those links from MrBrian about Virtualization exploits, and was wondering how this effects software like Returnil/Shadow Protect that's made with security in mind?
     
  17. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  18. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
    Ok that was nothing more than random banter. You didn't really provide any concrete "bypass" out of a sandbox. How does it break out of the sandbox? Kernel hooks?, pre boot drivers?
     
  19. monkeybutt

    monkeybutt Registered Member

    Joined:
    May 18, 2009
    Posts:
    126
  20. sbwhiteman

    sbwhiteman Registered Member

    Joined:
    Jul 20, 2009
    Posts:
    63
    Yes, thanks MrBrian for the thread links. I see malware testing is not to be taken lightly. Almost seems like you need a separate physical machine and a separate internet connection...
     
  21. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    tnx to MrBrian for the links.

    seems from the links above that Shadow Defender fared pretty good.

    from what i gathered Sandboxie would also be immune/pretty damn safe because it does not allow the installation of drivers.
    I would like to think Sandboxie is a close to bullet proof as possible.
    it is my first line of defense...
     
  22. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    The specific method the malware uses is not relevant to the fact that malware can break out of virtualized and sandboxed environments. But if you must know to satisfy your curiosity, in the instance we saw, it leverages kernel modules, and works across mac/linux/windows.
     
  23. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    @ Steve:

    tnx for your answer.
    not being an expert meself in these matters i think the above scenario is possible.
    if someone build a box, somebody else will always be smart enough to take it apart.

    but between possible and likely there's a wide range.

    if someone has heard that Sandboxie has been bypassed lately i would like to hear your stories.
    if my setup is not safe, i sure would like to know more about it...
     
  24. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    Unless you do everything else besides testing with a live-cd, I'd say that's precaution number one.
     
  25. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
    Well I think that it is relevant seeing that alot of folks use sandboxie to protect themselves. Can you provide any links, to your otherwise vague answers?
     
Loading...
Thread Status:
Not open for further replies.