1

I am pursuing malware research and am wondering what are the best practices for building safe VM's to contain the code while disassembling it. So far:

  1. Each instance for examining the code is housed in a seperate VM with host-only network support to prevent hostile code from escaping the VM.
  2. Each VM is fully patched and has a minimal attack surface by excluding all unnecessary software/services.

What other steps should I take to isolate the VM's or harden the VM's ? The VM's are Win XP and Win Vista.

Thanks

Scott Davies
  • 423
  • 1
  • 5
  • 9

2 Answers2

3

What you are looking for is a malware sandbox, not a honeypot.

I would recommend having the host machine be a different OS than the sandbox. For example, run Linux on your VM, then run the malware in a Windows installation inside the linux VM. It would be shocking if the Windows malware infected the Linux box.

There is actually an open source system called Zero Wine you could take a look at.

Its sole purpose is to help people analyze malware in a contained environment.

There are some commercial products such as Norman Sandbox Analyzer that might be viable as well, depending on your budget.

Adam Brand
  • 6,127
  • 2
  • 30
  • 40
-1

It doesn't sound exactly like you're working with a honey pot, but rather a test system in which to examine malware.

Be aware that it's possible for malware to get outside the VM, and even replace the VM's hipervisor with a malicious one. You'll need to make sure the system on which the VMs are running is incapable of causing you harm - for example, an air gap between it and your network. You'll also want backups of the system in a clean state, prior to any viruses, and probably bootable write-once media from whcih to restore.

atk
  • 217
  • 1
  • 3
  • Currently, there is no known malware that can "escape" a vm/replace the hypervisor. Blue Pill http://www.en.wikipedia.org/wiki/Blue_Pill_(malware) is poc, and has not been seen in malware in the wild. For future reference, please post references for such claims – Josh Brower Sep 24 '09 at 00:47
  • @Josh Brower: You may well be correct in that there is no malware currently getting outside the hypervisor. There is, however, a difference between, "malware can" and "malware does". I'll try and call out such syntactic details when I write future comments. – atk Sep 24 '09 at 17:14
  • @ atk: Was not trying to be offensive. Just trying to be accurate. – Josh Brower Sep 25 '09 at 03:44
  • @Josh Brower: I apologize for the tone of my response. You are correct in that my original comment implies more than I meant. – atk Sep 25 '09 at 21:08