Is it safe to use virtual machines when examining malware?

  • We want to study for the CEH program and have downloaded 12 DVDs that 6 DVDs are software key-loggers, Trojans, etc. that are all detected by antivirus. This prevents us from examining them and learning how they work.

    I have instructed students not to uninstall antivirus as running these malicious files is not safe on its own. It might even spread on the network.

    One of the students suggests to use Windows XP mode. Is this safe? I see these articles 1 and 2 here but the answers are contradictory and confuse us.

    Are virtual machines safe for downloading and installing Trojans, key-loggers, etc.?

    Is there another way to solve this problems, e.g. set up a lab, to show what happens to victims of the malware?

    Are these known forms of malware? I.e. do you know what kind of threat they pose (by using a virus encyclopedia) or may they perform unknown actions? Of course, it is never safe to make too many assumptions on their respective threats, but, for example, if you obtained them from an anti-virus company for scientific purposes their behaviour in virtual machines may be known to the extent where you can decide if it is too much of a risk to run them in a virtual machine.

  • D.W.

    D.W. Correct answer

    9 years ago

    Are virtual machines safe for this? The answer is the same as for a lot of questions of the form "Is X safe?": no, it's not absolutely safe.

    As described elsewhere, bugs in the virtual machine or poor configuration can sometimes enable the malware to escape. So, at least in principle, sophisticated malware might potentially be able to detect that it's running in a VM and (if your VM has a vulnerability or a poor configuration) exploit the vulnerability or misconfiguration to escape from your VM.

    Nonetheless, it's pretty good. Probably most malware that you run across in the field won't have special code to escape from a VM.

    And running the malware in a VM is certainly a lot safer than installing it directly onto your everyday work machine!

    Probably the biggest issue with analyzing malware samples in a VM is that some malware authors are starting to get smart and are writing their malware so that it can detect when it is run in a VM and shut down when running inside a VM. That means that you won't be able to analyze the malicious behavior, because it won't behave malicious when it's run inside a VM.

    What alternatives are there? You could set up a sacrificial machine on a local machine, install the malware on there, then wipe it clean. Such a test network must be set up extremely carefully, to ensure that the malware can't propagate, can't spread to other machines of yours, and can't do any harm to others.


License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM