5

You want to look at some viruses, so you use something like VirtualBox to create a sandbox environment. But what if we change that environment? What if we do:

STEP ONE: Create a bootable flash drive/hard drive with a Linux distro on it, denied the bootable flash drive/hard drive permission to access the main hard drive, and denied the main hard drive access to the bootable flash drive/hard drive. In other words, don't let the main installed hard drive and the bootable to talk and write to each other.

STEP TWO: install VirtualBox and create a sandbox with it in the Linux distro on the bootable flash drive/hard drive and don't connect it to the network at all.

Is this a safe way to run a virus to analyze it? It like a OS in a virtual machine in a OS in a bootable flash drive/hard drive in your computer? Will it work because the bootable device will be cleared when rebooted?

Henry WH Hack v3.0
  • 2,137
  • 2
  • 24
  • 37
  • please do not submit until you are done with the edits .... – schroeder Dec 29 '15 at 23:55
  • 1
    You could do the same thing with a second computer that doesn't have a network card... – schroeder Dec 30 '15 at 00:12
  • Have you thought about malware exploiting vulnerabilities (zero days?) in your environment to bypass file permissions or even escape from the hypervisor? – André Borie Dec 30 '15 at 02:39
  • 1
    Firmware, bios, etc could also be vulnerable in addition to VM escape, etc. You either need a "clean room" or need to accept some level of risk. – Eric G Dec 30 '15 at 05:02
  • 3
    I think you can already collect good answers to such questions in [Is it safe to install malware in a VM](http://security.stackexchange.com/q/12546/32746) which deals with the VM aspect, and [What are the pros and cons of using live CDs vs VMs for malware analysis?](http://security.stackexchange.com/q/51755/32746) where AJ Henderson states that "*the most truly paranoid individual could use a VM running off a live CD*". – WhiteWinterWolf Dec 30 '15 at 10:25

1 Answers1

5

These are good ideas but ensuring the system in Step One is not writeable may be a challenge.

Other things you may want to consider is the potential risk of a BIOS infection to the hypervisor host on the off-chance you are dealing with something advanced.

Similarly all connected devices may be vectors for infection think about BAD USB infecting all shared USB devices. I would have a concern about this in your setup more than anything.

https://srlabs.de/badusb/

An alternative might be to dedicate a computer to this task and leverage bootable CD/DVD's for your base OS and have no hard-drive at all. Then use a second dedicated CD/DVD drive to import data to be analyzed via CD/DVD-rw disks. Optionally you may need to treat these as dirty unless you can forensically wipe them.

Again, I think you have a good idea but I would seriously consider the long-term risks of a BIOS infection as well as potential data bus infections to things like USB devices, Firewire, Thunderbolt, etc...

Obviously you want no network connection here either and if possible no wireless connections including things like bluetooth. You want to think of this more as a forensically-sound workstation if possible.

Finally you may also want to have a fake virtual network connection so the machine doesn't appear to look like a forensic workstation to the malware.

Note: I think you can do all this very inexpensively so you may be able to try a few different methods until you find what works best for you but that said I do think you have a good idea for basic stuff I would just take into consideration the issues I mentioned above.

Trey Blalock
  • 14,109
  • 6
  • 43
  • 49