Studying Viruses within a Virtual Machine - a safe way?
Hi guys,
I need some suggestions as to how to set this up... I'd like to use a virtual machine environment to open up Windows to the internet whilst totally unprotected by firewalls or anti-virus and see how it becomes infected and how quickly it becomes unusable (even more unusable than it normally is, I mean). I'd also get a perverse enjoyment out of seeing it getting trashed, to be honest. Anyway, once it's riddled with infections I need to be able to then roll it back to its initial, clean state and start over again. And all during this process, the Linux host environment must remain impervious to infection and maintain its integrity and ensure nothing escapes into any adjacent partitions. So how might I best implement such a scheme in practice? Thanks! CC. |
How about using VirtualBox and isolating it with AppArmor? Just a thought (I've never done it). BTW, using a VM would work just fine for what you described, but if you're planning to do serious malware analysis, then a VM might not be a good idea, as some malware will act differently within a virtual machine (on purpose).
|
I would not even bother with app armor just dmz the virtual machine, and clone onto a dvd , keep clamav or some such proggie handy and go to town , sounds like your doing this for fun so I doubt you have much to worry about as far as it being a mail server or anything mission critical. Other wise your boss is gonna love you ! LOL
Regards JKZfixme |
Quote:
|
I see you want to make your Linux machine impervious to attack-- how about taking measures to help protect other people on the net who will probably be attacked by your experiment? In addition to your honeypot VM, you should probably use the Roo honeywall as a VM. The honeywall will not only help prevent your honeypot from attacking other computers by using Snort as an IPS, and slowing down port scans, but it can also be used to collect evidence. Here is a tutorial on how to create a virtual honeynet using VMware.
You may want to start off by using a low interaction honeypot like Nepenthes, and then run the malware on the VM manually, while the VM is contained. |
Quote:
Anyway, I'm still very short on specifics here on how to implement my dream of torturing Windows to death over and over again with impunity. For example: What would make the best Distro for such a secure host environment? How large should the overall host partition be? How does one protect the Host from infection/compromise? How does one "roll back" the test OS to its original state? Once upon a time it was easy to find the answers to such questions with a Google search. No longer, sadly, owing to the sheer volume of traffic. And there are many better search engines than Google, today, too. Yet they all seem to throw up way too many spurious results. I just need a few bones thrown my way, guys. Please give me some clue as to a feasible initial system set-up. I'm gonna run this on an AMD Athlon 64 dual core with a 2.3Ghz processor and 3GB of physical RAM. HDD capacity is in the Terabyte range. And no, I'm not at work; just a hobbyist at home. Thanks again, CC. |
OH, and to Win32sux, I imagine the "dmz" remark refers to the term "de-militarized zone" - a kind of buffer seperation lane providing protection from attack from either (or any) side.
|
Quote:
Quote:
Quote:
If you run VirtualBox as a non-root user (which isn't your personal account), any attacker who manages to break out of the VM will still be limited by the regular protection offered by permissions. If the attacker isn't able to escalate his privileges, damage to your system will be contained within the non-root user's account. But by using mandatory access control, you can add an additional layer of security which will protect you even if the attacker has a way to escalate privileges. Quote:
Quote:
Code:
iptables -I OUTPUT -m state --state NEW -m owner --uid-owner virtualbox -j REJECT |
There is a new project on sourceforge that uses a QEMU VM with Debian as the OS with WINE installed. The purpose of the project is to identify system calls in malware through the WINEDEBUG variable. I've never tried it myself and it is a relatively new project but sounds like an interesting idea. I know this doesn't answer the OP purpose of setting up a Windows VM, but if someone wanted an open source solution to look at how malware works then this could be worth a try. You can learn more about it here.
http://zerowine.sourceforge.net/ |
Quote:
BTW, anyone wanting to try it out please make sure you read their warning: Quote:
|
I believe studying malware within a VM isn't a bad idea, just as long as the person knows how to isolate the VM from the physical.
At work we do this in a lab environment, where the lab is totally isolated from the production network. There has to be a physical isolation to ensure containment, IMO. Even then, limit the usage of USB drives and such. We had an incident where someone that was trying to develop a Snort sig for a newly relesed worm infected a production machine by way of USB pen drive. I agree with win32sux. |
If your hardware supports it why not get an external HD to create your environment for studying Malware in Windows and create your image backup with:
XXCLONE or DriveImage XML Or you can use this: Windows XP Live USB Edition 2009 Collection of tools for Malware forensic analysis. _ |
Quote:
|
All times are GMT -5. The time now is 01:13 PM. |