- This topic has 13 replies, 9 voices, and was last updated 9 years, 7 months ago by
Triban.
-
AuthorPosts
-
-
February 18, 2011 at 9:06 pm #6105
satyr
ParticipantI want to analyse Malware behavior. the best bet would be VM
But I have read about malwares capable enough to break out of the VM environment. Has anyone faced such issues or is it just a theory ?Is it possible for Netbooks (with atom processor at least) to run multiple VM ? i feel that is a safe way to analyze malwares as i can have a cheap netbook just for that purpose.
comments and suggestions highly appreciated
-
February 19, 2011 at 1:48 am #38176
ziggy_567
ParticipantI wouldn’t worry so much about processor as I would memory for running VMs.
Anyway, you can use a netbook, laptop, desktop, etc. to run your VMs. If you’re worried about jumping to the host OS, just make sure wireless is disabled and there’s no physical connection otherwise, and you’re good.
What I’ve heard more than VM escapes with malware is behavior modification based on whether or not the infected machine is running in a virtualized environment.
Good luck!
-
February 20, 2011 at 4:44 am #38177
SephStorm
ParticipantI would advise researching samples before you download, seeing if there are any clues that would indicate the malware is a jumper. in addition, you could keep separate hard drives, one specifically for testing with the malware VM’s, so even if it does jump it cant effect any sensitive data.
-
February 25, 2011 at 8:51 pm #38178
satyr
Participantthanks SephStorm and ziggy_567 .. i will dig up about this and see what is the best way to go
thanks a lot 🙂
-
March 27, 2011 at 6:56 pm #38179
nixfreak
ParticipantYou can run a vm on a atom processor but it has to have at least 2 gigs of ram , you can do it on 1gig but its really laggy and doesn’t respond very well.
Try using Qemu though instead of virtbox or vmware.
-
March 27, 2011 at 9:56 pm #38180
WCNA
ParticipantI’d look into using deepfreeze along with the sandboxie/bsa combo.
-
March 27, 2011 at 10:14 pm #38181
hayabusa
ParticipantYeah… Deepfreeze and sandbox’ing are good ideas. I personally just keep backed up copies of my various VM’s and snapshots, on dvd’s for easy restoration. Regardless, it’s all about time and convenience, as well as ease of baselining.
-
March 27, 2011 at 10:30 pm #38182
WCNA
ParticipantYou could also take a look at the Table of Contents for the book “Malware Analyst’s Cookbook”
http://www.amazon.com/gp/product/0470613033It’s got most of the open source and free tools listed.
-
March 28, 2011 at 7:16 pm #38183
SephStorm
ParticipantWhere did that book come from? 😮
-
March 28, 2011 at 8:18 pm #38184
hayabusa
ParticipantDon’t have that one… New item for wife’s Father’s Day list…
-
June 16, 2011 at 5:09 pm #38185
satyr
ParticipantHas anyone used Cloud services like Amazon for the purpose of malware analysis.
Its a really good option as there is no need to invest in a hardware.
But is it okay to deliberately infect an instance on cloud just like we do it on vm and revert it back ?I do not know much about this, please shed light on this topic
-
June 18, 2011 at 10:12 pm #38186
AndyB67
ParticipantI know a guy called Thomas Roth used the Amazon Cloud to crack wpa-psk network initially in under 20 mins but he refined that down to about 6 mins.
Amazon got the hump with him a little and were quoted at the time as saying
using the cloud service to create a tool to show how security can be increased is okay. But don’t use it to actually crack passwords:
Would probably want to speak with them first before hiring their hardware
-
June 18, 2011 at 10:43 pm #38187
cd1zz
ParticipantI think this is probably against their TOS. I know if you want to use the Amazon Cloud to do a pentest, you have to get authorization before you start. To analyze malware you’ll likely allow it to propagate if it has those capabilities so I would guess they wont let you do it. I would just use a local VM environment. If you’re extra worried about it breaking out of the environment, use a separate box with nothing important on it.
-
July 10, 2011 at 4:33 pm #38188
Triban
ParticipantI am in a similar boat. I will actually be starting a new job and one of the projects will be to setup a malware analysis lab. My plan will be to use a separate ESX host, fully segmented/isolated from the production network. Build the victim systems and snapshot the whole lot.
Thanks for the book recommendation, going check out the kindle sample and most likely purchase it depending on the content. Sometimes technical books don’t translate well to kindle. But you can at least download the DVD contents using an SVN client and grabbing the google code repository.
I also used the following site to gather certain tools for this job: http://zeltser.com/malware-analysis-toolkit/ there are some additional links to certain specifics. For my home lab I will probably be converting my present Desktop to an ESX host once I get my new system. Install a 2nd NIC for management of ESX and utilize the other for the VM network or just setup my laptop to manage it therefore still keeping it fully isolated from the home systems.
-
-
AuthorPosts
- You must be logged in to reply to this topic.