LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 01-16-2009, 09:34 AM   #1
Completely Clueless
Member
 
Registered: Mar 2008
Location: Marbella, Spain
Distribution: Many and various...
Posts: 810

Rep: Reputation: 68
Question Studying Viruses within a Virtual Machine - a safe way?


Hi guys,

I need some suggestions as to how to set this up...

I'd like to use a virtual machine environment to open up Windows to the internet whilst totally unprotected by firewalls or anti-virus and see how it becomes infected and how quickly it becomes unusable (even more unusable than it normally is, I mean). I'd also get a perverse enjoyment out of seeing it getting trashed, to be honest. Anyway, once it's riddled with infections I need to be able to then roll it back to its initial, clean state and start over again. And all during this process, the Linux host environment must remain impervious to infection and maintain its integrity and ensure nothing escapes into any adjacent partitions.

So how might I best implement such a scheme in practice?

Thanks!

CC.
 
Old 01-16-2009, 10:52 AM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
How about using VirtualBox and isolating it with AppArmor? Just a thought (I've never done it). BTW, using a VM would work just fine for what you described, but if you're planning to do serious malware analysis, then a VM might not be a good idea, as some malware will act differently within a virtual machine (on purpose).

Last edited by win32sux; 01-16-2009 at 10:53 AM.
 
Old 01-16-2009, 11:07 AM   #3
jkzfixme
Member
 
Registered: Sep 2006
Location: Orange County, NY
Distribution: Ubuntu, Solaris, Android
Posts: 329
Blog Entries: 21

Rep: Reputation: 52
I would not even bother with app armor just dmz the virtual machine, and clone onto a dvd , keep clamav or some such proggie handy and go to town , sounds like your doing this for fun so I doubt you have much to worry about as far as it being a mail server or anything mission critical. Other wise your boss is gonna love you ! LOL

Regards
JKZfixme
 
Old 01-16-2009, 12:57 PM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by jkzfixme View Post
I would not even bother with app armor just dmz the virtual machine, and clone onto a dvd , keep clamav or some such proggie handy and go to town , sounds like your doing this for fun so I doubt you have much to worry about as far as it being a mail server or anything mission critical. Other wise your boss is gonna love you ! LOL
Good point about the DVD, it's imperative that a proper backup of the host is taken prior to this (I'm assuming that's what you meant). That said, I'm not exactly sure how ClamAV is gonna help with anything when the guest gets owned. BTW, could you elaborate a bit as to what you mean by "DMZ the virtual machine"?
 
Old 01-16-2009, 04:27 PM   #5
OlRoy
Member
 
Registered: Dec 2002
Posts: 304

Rep: Reputation: 86
I see you want to make your Linux machine impervious to attack-- how about taking measures to help protect other people on the net who will probably be attacked by your experiment? In addition to your honeypot VM, you should probably use the Roo honeywall as a VM. The honeywall will not only help prevent your honeypot from attacking other computers by using Snort as an IPS, and slowing down port scans, but it can also be used to collect evidence. Here is a tutorial on how to create a virtual honeynet using VMware.

You may want to start off by using a low interaction honeypot like Nepenthes, and then run the malware on the VM manually, while the VM is contained.
 
Old 01-17-2009, 03:29 PM   #6
Completely Clueless
Member
 
Registered: Mar 2008
Location: Marbella, Spain
Distribution: Many and various...
Posts: 810

Original Poster
Rep: Reputation: 68
Quote:
Originally Posted by OlRoy View Post
I see you want to make your Linux machine impervious to attack-- how about taking measures to help protect other people on the net who will probably be attacked by your experiment?
Fair point and one I intend to address, naturally. It's a pity there isn't such a thing as a "dummy load" in computing where you can dump all your unwanted output safely. I guess the nearest thing is /dev/null.

Anyway, I'm still very short on specifics here on how to implement my dream of torturing Windows to death over and over again with impunity.
For example:

What would make the best Distro for such a secure host environment?
How large should the overall host partition be?
How does one protect the Host from infection/compromise?
How does one "roll back" the test OS to its original state?

Once upon a time it was easy to find the answers to such questions with a Google search. No longer, sadly, owing to the sheer volume of traffic. And there are many better search engines than Google, today, too. Yet they all seem to throw up way too many spurious results. I just need a few bones thrown my way, guys. Please give me some clue as to a feasible initial system set-up. I'm gonna run this on an AMD Athlon 64 dual core with a 2.3Ghz processor and 3GB of physical RAM. HDD capacity is in the Terabyte range. And no, I'm not at work; just a hobbyist at home.

Thanks again,

CC.
 
Old 01-17-2009, 03:34 PM   #7
Completely Clueless
Member
 
Registered: Mar 2008
Location: Marbella, Spain
Distribution: Many and various...
Posts: 810

Original Poster
Rep: Reputation: 68
OH, and to Win32sux, I imagine the "dmz" remark refers to the term "de-militarized zone" - a kind of buffer seperation lane providing protection from attack from either (or any) side.
 
Old 01-17-2009, 03:51 PM   #8
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by Completely Clueless View Post
What would make the best Distro for such a secure host environment?
I would say whichever distro you are most comfortable with.

Quote:
How large should the overall host partition be?
You don't need to use a dedicated partition for this. Of course, you could if you want to. Look at the minimum requirements on the Windows box/manual and use that as a base.

Quote:
How does one protect the Host from infection/compromise?
One way would be to use mandatory access control to further isolate the virtual machine, as suggested in post #2. There are apparently also specialized virtual machines available, with one having been recommended in post #5.

If you run VirtualBox as a non-root user (which isn't your personal account), any attacker who manages to break out of the VM will still be limited by the regular protection offered by permissions. If the attacker isn't able to escalate his privileges, damage to your system will be contained within the non-root user's account. But by using mandatory access control, you can add an additional layer of security which will protect you even if the attacker has a way to escalate privileges.

Quote:
How does one "roll back" the test OS to its original state?
VirtualBox has a feature called "Snapshots" which lets you do precisely this. In fact, you can pretty much take a snapshot of the system at any point you wish. For example, you could take a snapshot right after a fresh installation (so you can always return to a pristine state), and snapshots during specific infections, etc. Doing this is as simple as pressing a button in the VirtualBox software. I imagine it's just as easy with other VMs.

Quote:
OH, and to Win32sux, I imagine the "dmz" remark refers to the term "de-militarized zone" - a kind of buffer seperation lane providing protection from attack from either (or any) side.
I know what a DMZ is. But other readers might not, or at least they might not understand what context jkzfixme was suggesting it in. Did he mean DMZ the VM with a host-based firewall? Did he mean create an actual, physical DMZ and put the VM's host on that network? I don't have a clue. This is one reason why it's a good idea to elaborate a bit whenever making these kind of suggestions. For example, he could have stated that you could use iptables to make a rule which wouldn't allow the user which your VM is running as to establish any outbound connections on the host. This might be done with a command like:
Code:
iptables -I OUTPUT -m state --state NEW -m owner --uid-owner virtualbox -j REJECT

Last edited by win32sux; 01-17-2009 at 05:22 PM.
 
Old 01-17-2009, 04:57 PM   #9
larryhaja
Member
 
Registered: Jul 2008
Distribution: Slackware 13.1
Posts: 293

Rep: Reputation: 76
There is a new project on sourceforge that uses a QEMU VM with Debian as the OS with WINE installed. The purpose of the project is to identify system calls in malware through the WINEDEBUG variable. I've never tried it myself and it is a relatively new project but sounds like an interesting idea. I know this doesn't answer the OP purpose of setting up a Windows VM, but if someone wanted an open source solution to look at how malware works then this could be worth a try. You can learn more about it here.
http://zerowine.sourceforge.net/
 
Old 01-17-2009, 05:08 PM   #10
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by larryhaja View Post
There is a new project on sourceforge that uses a QEMU VM with Debian as the OS with WINE installed. The purpose of the project is to identify system calls in malware through the WINEDEBUG variable. I've never tried it myself and it is a relatively new project but sounds like an interesting idea. I know this doesn't answer the OP purpose of setting up a Windows VM, but if someone wanted an open source solution to look at how malware works then this could be worth a try. You can learn more about it here.
http://zerowine.sourceforge.net/
That looks like an awesome project, larryhaja. Thanks for posting the link!

BTW, anyone wanting to try it out please make sure you read their warning:
Quote:
First of all, remember, RUNNING MALWARE IN YOUR COMPUTER IS ALWAYS A BAD IDEA. You must isolate the virtual machine (or the real hardware box) from the real world when possible. Sometimes it's mandatory to allow the malware to connect to the real world, however, you might be attacking other people.

And, what is more important, remember, a malware written to escape the WINE sandbox will escape (even when the WINE's sandbox is configured with only the C: drive) and it might affect your network, your real machines.

Last edited by win32sux; 01-17-2009 at 05:10 PM.
 
Old 01-17-2009, 06:03 PM   #11
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
I believe studying malware within a VM isn't a bad idea, just as long as the person knows how to isolate the VM from the physical.

At work we do this in a lab environment, where the lab is totally isolated from the production network. There has to be a physical isolation to ensure containment, IMO. Even then, limit the usage of USB drives and such. We had an incident where someone that was trying to develop a Snort sig for a newly relesed worm infected a production machine by way of USB pen drive.

I agree with win32sux.
 
Old 01-17-2009, 10:12 PM   #12
internetSurfer
Member
 
Registered: Jan 2008
Location: w3c
Distribution: Slackware 12 Zenwalk 5.2
Posts: 71

Rep: Reputation: 16
If your hardware supports it why not get an external HD to create your environment for studying Malware in Windows and create your image backup with:

XXCLONE or DriveImage XML

Or you can use this: Windows XP Live USB Edition 2009
Collection of tools for Malware forensic analysis.

_

Last edited by internetSurfer; 01-19-2009 at 02:43 PM. Reason: *
 
Old 01-18-2009, 11:24 PM   #13
jayjwa
Member
 
Registered: Jul 2003
Location: NY
Distribution: None (src & compile)
Posts: 253

Rep: Reputation: 36
Quote:
I'd like to use a virtual machine environment to open up Windows to the internet whilst totally unprotected by firewalls or anti-virus and see how it becomes infected
I think isc.sans.org had a quote on this on their site once or in a book they were promoting - it was something like 20 minutes. Who wants to run Windows, raise your hand!
 
  


Reply

Tags
environments, malware, secure, vmware


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
file sharing between a virtual machine and the host machine okok Linux - Networking 3 06-21-2013 01:42 AM
Running virtual pc files in a virtual machine in linux ... preferably virtual box biharibong Linux - Software 4 01-21-2009 02:04 PM
more virtual machine help TentativeChaos Linux - Newbie 2 03-24-2008 01:15 AM
What makes Linux safe from viruses? (Compared to MS Windows) ciden Linux - General 10 03-19-2008 04:50 PM
virtual machine.. os2 Linux - Software 5 09-26-2004 10:07 AM


All times are GMT -5. The time now is 11:05 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration