Jump to content

Virtual machine for malware analyzing


Kristal

Recommended Posts

There are a lot of virtual machines from different vendors(VirtualBox, Hyper-V, VMware Workstation, etc.). Since 2017 most of malwares have virtual machine checking, if malware detects that it is runned on virtual machine it doesn't do any malicious actions. Which virtual machine is the most difficult for detecting that it's virchual machine is for malware?

Link to comment
Share on other sites

  • Administrators

Any hypervizor can be detected by malware. You'd need to run a customized system to minimize the chance of vm detection.

Link to comment
Share on other sites

3 hours ago, Kristal said:

What is it?

A separate stand-alone PC just used to test malware. This PC should be totally isolated from your existing home network but should have Internet connectivity.

After setting up the device, your first step is to create a backup image of your existing Win system. If malware does infect this test system, you can restore the system using the backup image. Standard procedure would be to restore from the backup image after completing a malware test  session. Also, as Windows and Eset updates occur, a new backup image needs to be created.

Of note here is you would have to purchase an additional Win 10 license for the test machine.

Link to comment
Share on other sites

16 hours ago, itman said:

A separate stand-alone PC just used to test malware. This PC should be totally isolated from your existing home network but should have Internet connectivity.

After setting up the device, your first step is to create a backup image of your existing Win system. If malware does infect this test system, you can restore the system using the backup image. Standard procedure would be to restore from the backup image after completing a malware test  session. Also, as Windows and Eset updates occur, a new backup image needs to be created.

Of note here is you would have to purchase an additional Win 10 license for the test machine.

Can a malware which I will run on virtual machine infect my own system?

Link to comment
Share on other sites

4 hours ago, Kristal said:

How to avoid that?

The answer is obvious. Don't use a VM to test malware.

If you do use a VM, ensure you have a current Win image backup taken prior to performing any malware testing was first initiated. You can then restore your Win installation from the image backup.

BTW - as far as Win image backup, you want to use imaging software that can backup the entire drive where Windows is installed. This will protect you against MBR/UEFI malware plus advanced malware that can hide in unallocated drive areas.

Edited by itman
Link to comment
Share on other sites

  • Most Valued Members

The problem is any system is vulnerable. 

As ITman had suggested, the best way is to use an actual computer. A separate physical computer is better, the more airtight the better. Although there are risks if the 2 are on the same network 

Link to comment
Share on other sites

  • 2 weeks later...
On 7/25/2022 at 9:00 PM, itman said:

A separate stand-alone PC just used to test malware. This PC should be totally isolated from your existing home network but should have Internet connectivity.

After setting up the device, your first step is to create a backup image of your existing Win system. If malware does infect this test system, you can restore the system using the backup image. Standard procedure would be to restore from the backup image after completing a malware test  session. Also, as Windows and Eset updates occur, a new backup image needs to be created.

Of note here is you would have to purchase an additional Win 10 license for the test machine.

This is a scenario in which malware escapes a container like a wild animal. I would recommend isolating the device you are working on from the network and other systems until you have rolled back the image to a known good state. You still have a small chance of it being present somewhere, but it is far less likely than a vm escape. I typed all of that, but it's really a risk management scenario. Do whatever makes you feel at ease. You'll never be able to anticipate every possibility.

Link to comment
Share on other sites

On 7/26/2022 at 6:09 PM, itman said:

The answer is obvious. Don't use a VM to test malware.

If you do use a VM, ensure you have a current Win image backup taken prior to performing any malware testing was first initiated. You can then restore your Win installation from the image backup.

BTW - as far as Win image backup, you want to use imaging software that can backup the entire drive where Windows is installed. This will protect you against MBR/UEFI malware plus advanced malware that can hide in unallocated drive areas.

 

On 7/26/2022 at 7:52 PM, peteyt said:

The problem is any system is vulnerable. 

As ITman had suggested, the best way is to use an actual computer. A separate physical computer is better, the more airtight the better. Although there are risks if the 2 are on the same network 

I don't have additional physical PC, so I should use VMs and sandboxes for testing malware. What is better VM or sandbox? I mean for security of my system and minimizing chance of understanding of malware that it's VM/sandbox.

Link to comment
Share on other sites

You don't need a fancy pc if all you want to do is test malware. You can pick up some cheap old computer off of places like eBay.

The problem with virtual machines and sandboxing is that some malware can be aware that it is running within them. So it won't expose its real real intentions if it thinks it is within one of those environments. Where as having a cheap disposable pc you can see the full effect of what the malware is doing with no risk. Then you can just wipe the system when you are done with testing.  

Link to comment
Share on other sites

11 hours ago, TheStill said:

You don't need a fancy pc if all you want to do is test malware. You can pick up some cheap old computer off of places like eBay.

The problem with virtual machines and sandboxing is that some malware can be aware that it is running within them. So it won't expose its real real intentions if it thinks it is within one of those environments. Where as having a cheap disposable pc you can see the full effect of what the malware is doing with no risk. Then you can just wipe the system when you are done with testing.  

I don't have money for buying PC(even if it's cheap) + I don't test malware too often. So I should use sandboxes and VMs.

Link to comment
Share on other sites

Use one of the publicly available cloud malware scanning sandboxes. Below are links to three:

https://www.hybrid-analysis.com/

https://www.joesandbox.com/#windows

https://any.run/ *

* Requires registration with a business e-mail address.

Edited by itman
Link to comment
Share on other sites

9 hours ago, itman said:

Use one of the publicly available cloud malware scanning sandboxes.

I know all these sandboxes. But they are useless for me, because I need to test reaction of different anti-malware software on different malware.

9 hours ago, itman said:

It has require registration with moderation. And business email doesn't guarantee successful results of moderation.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...