Topic: VM's safe for testing malware?
I'm curious if it's safe to test malware in a VM? I'm pretty sure this is a yes, but need to be sure.
I'm curious if it's safe to test malware in a VM? I'm pretty sure this is a yes, but need to be sure.
Compared to just launch it in your OS you are very safe but some malware has VM testing features that may give wrong results to your analysis.
At first I misinterpreted your question. I thought you wanted to know the risk and comparison of analyzing malware in a VM vs on actual hardware. Directly below I think I answered your intended question of whether or not running malware in a VM can damage the host operating system or machine. Further below, I talked about analyzing malware in a VM vs on actual hardware.
Safe to run malware in VM:
There is a very small chance that it could do any damage to the host machine. You *should* be safe running it in a VM. The malware would have to be extremely sophisticated and even then I don't know of any techniques to break out of Virtual Box or VMware. Also, if you don't know what you are doing, I would consider disabling the network on the VM to be extra cautious.
Safe to analyze malware in a VM (obtain valid analysis results):
If your question is asking what is the *best* way to analyze malware, then I would say that it really depends on the malware and also how long and in depth you want your analysis to be. Below is a little comparison of the two methods (VM vs Standalone Computer)
Advantages of using a VM:
- quicker (don't need to re-image or format a drive for every malware test - can just snapshot to clean state)
- convenient (easy to run malware in a VM while doing normal activities on your host)
- safer (won't do harm to your actual machine)
- doesn't require extra hardware
- easy to have multiple configurations (different OS's, Service Packs, Anti-Virus, etc)
- much easier to do kernel debugging
Disadvantages of using a VM:
- certain malware can detect if it is running within a VM and behave differently
- possible for malware to break out of the VM and infect the host machine
- VM may not support certain architectures / instructions
Other Comments:
- malware may behave differently depending on the OS, Service Packs, or Anti-Virus
- malware may behave differently if the machine/VM is connected to a private network vs internet vs standalone
- make sure that the malware isn't connected to your internal network
I did not expect that reply sfsfs. Thanks a bunch.
I also have similar concerns. Is it allowed to test on commercial web service like Amazon EC2?
Testing on a service like EC2 would technically work, but I don't suggest it. EC2 is awesome if you need huge computing power or massive parallelization, and malware testing needs none of those things. You'd be much better off spinning up VirtualBox on your own hardware and doing testing there--malware that has the capability to escape a VM sandbox is really rare, so you won't really be at risk. sfsfs is correct that some malware behaves differently (i.e. doesn't work) inside a VM, just to make your life difficult, but that isn't *too* common either (though you will see it from time to time).
Hi there,
Could anyone name a malware known to escape from a VM sandbox to the host operating system?
Thanks!!
Hi there,
Could anyone name a malware known to escape from a VM sandbox to the host operating system?
Thanks!!
Something like that it´s unknown actually.
In theory they could spread through network and via clipboard.
In theory they could spread through network and via clipboard.
I don´t think he means that. I guess he talks about an exploit or vulnerability.
XtcC wrote:In theory they could spread through network and via clipboard.
I don´t think he means that. I guess he talks about an exploit or vulnerability.
I c but i have seen alot of exploits for vmware.
Search google for site:exploit-db.com vmware
Here is one a year old:
//removed bcz it only affected guests//
maybe you are right but i can't really believe it.
Last edited by XtcC (2011-11-28 22:51:46)
The amount of exploits in a software is finite. After all them have been fixed, there is 0 exploits.
Indeed I meant exploits or vulnerabilities.
Since 2007 (CVE-2007-4496, CVE-2009-3281, CVE-2010-2784) ... till now (CVE-2011-1898) there have been reported vulnerabilities that allows guest OS users to gain host OS privileges.
There has to be malware which targets these and other vulnerabilities. I can't believe that "something like that it´s unknown".
Thanks!!
There has to be malware which targets these and other vulnerabilities. I can't believe that "something like that it´s unknown".
Don´t you think that if something like that exists, coders would not make a patch that closes the hole in a few hours?
VMWare is very slow for example. Sometimes it's simpler to use an external PC
Last edited by klondike (2011-12-05 02:59:36)
I would for sure use a separate pc, that way you know for sure that your current PC is protected. Sure VM is good at keeping things separate but I sure wouldn't try it on a production machine with VM.
Despite the risk, we need VMware to analysis the malicious code