All we need is an easy explanation of the problem, so here it is.
We want to study for the CEH program and have downloaded 12 DVDs that 6 DVDs are software key-loggers, Trojans, etc. that are all detected by antivirus. This prevents us from examining them and learning how they work.
I have instructed students not to uninstall antivirus as running these malicious files is not safe on its own. It might even spread on the network.
Are virtual machines safe for downloading and installing Trojans, key-loggers, etc.?
Is there another way to solve this problems, e.g. set up a lab, to show what happens to victims of the malware?
How to solve :
I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.
Are virtual machines safe for this? The answer is the same as for a lot of questions of the form “Is X safe?”: no, it’s not absolutely safe.
As described elsewhere, bugs in the virtual machine or poor configuration can sometimes enable the malware to escape. So, at least in principle, sophisticated malware might potentially be able to detect that it’s running in a VM and (if your VM has a vulnerability or a poor configuration) exploit the vulnerability or misconfiguration to escape from your VM.
Nonetheless, it’s pretty good. Probably most malware that you run across in the field won’t have special code to escape from a VM.
And running the malware in a VM is certainly a lot safer than installing it directly onto your everyday work machine!
Probably the biggest issue with analyzing malware samples in a VM is that some malware authors are starting to get smart and are writing their malware so that it can detect when it is run in a VM and shut down when running inside a VM. That means that you won’t be able to analyze the malicious behavior, because it won’t behave malicious when it’s run inside a VM.
What alternatives are there? You could set up a sacrificial machine on a local machine, install the malware on there, then wipe it clean. Such a test network must be set up extremely carefully, to ensure that the malware can’t propagate, can’t spread to other machines of yours, and can’t do any harm to others.
Is it safe to install malware in a VM (Summary: “There is no simple answer”, and there are some risks)
How secure are virtual machines really? False sense of security? (Summary: there are definitely some risks that could allow malware to escape the VM)
Does a Virtual Machine stop malware from doing harm? (Summary: there have occasionally been vulnerabilities that has enabled malware to escape the VM)
Using a virtual machine is a safer way to study malware than running it on a normal machine – the main reason being that you can wipe and start over from a known fresh image at any time.
Isolation is also key, though – if your virtual machines are connected to your network they will be able to spread malware just as if they were physical machines, so either isolate logically (within the host) or physically (disconnect from the network)
I’ve seen enough tangential information to believe that some viruses are capable these days of detecting that they are on a virtual machine and alter their behavior accordingly. The example I’ve heard is that the code will appear benign in the VM and then reactivate and infiltrate when not in a VM.
My recommendation whenever you want to test malware is to play in a cleanroom with disposable equipment. Don’t trust the VM to be your barrier – run in a lab where any network you provide is entirely standalone, connected to nothing else. Be sure that any removable memory (USBs, etc) you use is one way only from the outside world in, and when you’re done, wipe and reimage the computers you used for testing. Bring everything back to a known good state, don’t try to clean up manually.
For the purpose of study, it would probably be quite a lot of fun to try the viruses on both a machine with a vM and a regular bare bones host. I’d probably throw some network monitoring on there, too, to see what the software tries to do over the network.
I wouldn’t try messing around with “XP mode” as a method of isolating malware. A virtual machine is your best bet. The guest OS will be isolated from the host system, so it’ll install onto the VM and do its nasty stuff, and you can just revert it back to a clean snapshot when you’re done.
Why not run it in a container?
You can select a multitude of images, prepare the environment for a single malware by attaching monitoring tools/scripts targeting it specifically.
The level of security to protect your machine, that being physical or virtual will depend on the isolation you specify before hand for the container.
With containers that becomes even clearer as you have more visibility on what the malware is affecting since you can have n combinations of systems being spin up easily.
You might also want to analyse the behavior of such malware within a network. Simply isolate multiple containers with their own network within a network sandbox and ensure the latter is completely detached from your host machine.
For hardware isolation during such inspections you can use Pi’s or any cheap hardware.
It really comes down to allowing the malware to behave like it would on a normal computer and isolating it completely from outside as others already pointed.
I think we don’t have to be more clever as really good professinals are. Mark Russinovich usually use virtual machines to analyze a code behaviour. Of course this doesn’t mean that you don’t have to be careful, isolate the virtual machine as far as possible (firewall settings and so on).
My way of testing malware is to install the following:
Sandboxing Software (Such as Sandboxie)
Virtual Machine (Such as VirtualBox or VMware)
An Additional AV (Such As Avast, Or MalwareBytes)
- Sandboxing Software
After you got all that, sandbox the virtual machine (On Host PC) and activate AV
Once you open your virtual machine, open any virus in the sandbox.
To Go The extra mile
You can install a VM inside a VM, and sandbox that, but note that it requires a very strong PC.
To add to the wonderful answers given by others, and to add my own experience to it-
No virtual machines are not ‘safe’ for your purpose, as has been already elaborated by
I also do some kind of security-related experiments, and so I requested my authorities to give me a separate LAN which is disconnected from the rest of the network at my University.
What I ended up getting was a VLAN which is disconnected from the rest of our network- and I do all my experiments on virtual machines in that network (which, again, is not the best option – A simple search on this site will reveal to you that VLANs are not really a ‘security’ – see here). So your best bet seems to be to either have a network which is disconnected from the rest of your network, or simply not connect the VMs to a network and keep them isolated.
Adding to the comment by @Legolas –
And surely stay away from any stuff coming from/endorsed by the black hat community. For my context I can tell of one tool called Havij- not sure of things in your context. When you are dealing with malwares and stuff like that, you never what all it will do apart from what it claims to do!
Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂