Studying Viruses within a Virtual Machine - a safe way?
 

Hi guys,

I need some suggestions as to how to set this up...

I'd like to use a virtual machine environment to open up Windows to the internet whilst totally unprotected by firewalls or anti-virus and see how it becomes infected and how quickly it becomes unusable (even more unusable than it normally is, I mean). I'd also get a perverse enjoyment out of seeing it getting trashed, to be honest. Anyway, once it's riddled with infections I need to be able to then roll it back to its initial, clean state and start over again. And all during this process, the Linux host environment must remain impervious to infection and maintain its integrity and ensure nothing escapes into any adjacent partitions.

So how might I best implement such a scheme in practice?

Thanks!

CC.

How about using VirtualBox and isolating it with AppArmor? Just a thought (I've never done it). BTW, using a VM would work just fine for what you described, but if you're planning to do serious malware analysis, then a VM might not be a good idea, as some malware will act differently within a virtual machine (on purpose).

I would not even bother with app armor just dmz the virtual machine, and clone onto a dvd , keep clamav or some such proggie handy and go to town , sounds like your doing this for fun so I doubt you have much to worry about as far as it being a mail server or anything mission critical. Other wise your boss is gonna love you ! LOL

Regards
JKZfixme

Good point about the DVD, it's imperative that a proper backup of the host is taken prior to this (I'm assuming that's what you meant). That said, I'm not exactly sure how ClamAV is gonna help with anything when the guest gets owned. BTW, could you elaborate a bit as to what you mean by "DMZ the virtual machine"?

I see you want to make your Linux machine impervious to attack-- how about taking measures to help protect other people on the net who will probably be attacked by your experiment? In addition to your honeypot VM, you should probably use the Roo honeywall as a VM. The honeywall will not only help prevent your honeypot from attacking other computers by using Snort as an IPS, and slowing down port scans, but it can also be used to collect evidence. Here is a tutorial on how to create a virtual honeynet using VMware.

You may want to start off by using a low interaction honeypot like Nepenthes, and then run the malware on the VM manually, while the VM is contained.

Fair point and one I intend to address, naturally. It's a pity there isn't such a thing as a "dummy load" in computing where you can dump all your unwanted output safely. I guess the nearest thing is /dev/null.

Anyway, I'm still very short on specifics here on how to implement my dream of torturing Windows to death over and over again with impunity.
For example:

What would make the best Distro for such a secure host environment?
How large should the overall host partition be?
How does one protect the Host from infection/compromise?
How does one "roll back" the test OS to its original state?

Once upon a time it was easy to find the answers to such questions with a Google search. No longer, sadly, owing to the sheer volume of traffic. And there are many better search engines than Google, today, too. Yet they all seem to throw up way too many spurious results. I just need a few bones thrown my way, guys. Please give me some clue as to a feasible initial system set-up. I'm gonna run this on an AMD Athlon 64 dual core with a 2.3Ghz processor and 3GB of physical RAM. HDD capacity is in the Terabyte range. And no, I'm not at work; just a hobbyist at home.

Thanks again,

CC.

OH, and to Win32sux, I imagine the "dmz" remark refers to the term "de-militarized zone" - a kind of buffer seperation lane providing protection from attack from either (or any) side.

I would say whichever distro you are most comfortable with.

You don't need to use a dedicated partition for this. Of course, you could if you want to. Look at the minimum requirements on the Windows box/manual and use that as a base.

One way would be to use mandatory access control to further isolate the virtual machine, as suggested in post #2. There are apparently also specialized virtual machines available, with one having been recommended in post #5.

If you run VirtualBox as a non-root user (which isn't your personal account), any attacker who manages to break out of the VM will still be limited by the regular protection offered by permissions. If the attacker isn't able to escalate his privileges, damage to your system will be contained within the non-root user's account. But by using mandatory access control, you can add an additional layer of security which will protect you even if the attacker has a way to escalate privileges.

VirtualBox has a feature called "Snapshots" which lets you do precisely this. In fact, you can pretty much take a snapshot of the system at any point you wish. For example, you could take a snapshot right after a fresh installation (so you can always return to a pristine state), and snapshots during specific infections, etc. Doing this is as simple as pressing a button in the VirtualBox software. I imagine it's just as easy with other VMs.

I know what a DMZ is. But other readers might not, or at least they might not understand what context jkzfixme was suggesting it in. Did he mean DMZ the VM with a host-based firewall? Did he mean create an actual, physical DMZ and put the VM's host on that network? I don't have a clue. This is one reason why it's a good idea to elaborate a bit whenever making these kind of suggestions. For example, he could have stated that you could use iptables to make a rule which wouldn't allow the user which your VM is running as to establish any outbound connections on the host. This might be done with a command like:

There is a new project on sourceforge that uses a QEMU VM with Debian as the OS with WINE installed. The purpose of the project is to identify system calls in malware through the WINEDEBUG variable. I've never tried it myself and it is a relatively new project but sounds like an interesting idea. I know this doesn't answer the OP purpose of setting up a Windows VM, but if someone wanted an open source solution to look at how malware works then this could be worth a try. You can learn more about it here.
http://zerowine.sourceforge.net/

That looks like an awesome project, larryhaja. Thanks for posting the link!

BTW, anyone wanting to try it out please make sure you read their warning:

I believe studying malware within a VM isn't a bad idea, just as long as the person knows how to isolate the VM from the physical.

At work we do this in a lab environment, where the lab is totally isolated from the production network. There has to be a physical isolation to ensure containment, IMO. Even then, limit the usage of USB drives and such. We had an incident where someone that was trying to develop a Snort sig for a newly relesed worm infected a production machine by way of USB pen drive.

I agree with win32sux.

If your hardware supports it why not get an external HD to create your environment for studying Malware in Windows and create your image backup with:

XXCLONE or DriveImage XML

Or you can use this: Windows XP Live USB Edition 2009
Collection of tools for Malware forensic analysis.

_

I think isc.sans.org had a quote on this on their site once or in a book they were promoting - it was something like 20 minutes. Who wants to run Windows, raise your hand!