62

Is it safe to install malware in virtual machines? I would like to investigate malware, but I don't want to infect my own computer.

Can I install the malware in a VMWare VM, maybe even without network access, without risking the integrity of my host system?

Erik
  • 1,065
  • 1
  • 8
  • 10
  • 5
    Related: [How secure are virtual machines really? False sense of security?](http://security.stackexchange.com/questions/3056/how-secure-are-virtual-machines-really-false-sense-of-security) – Gilles 'SO- stop being evil' Mar 09 '12 at 13:14
  • There is also a related question on SuperUser: [Is my host machine completely isolated from a virus-infected virtual machine?](http://superuser.com/q/289054/79358) – Diogo Mar 12 '12 at 17:53

7 Answers7

36

There is no simple answer to this question. VM software is still software and has vulnerabilities that can be targeted and thus, in theory at least, exploited to do more harm.

Running an infected VM with access to your network also opens up potential attack vectors.

Another interesting point to consider is that sufficiently advanced malware could be VM-aware and modify it's behavior when it detects that it's running inside a VM, masking the actual harm-causing capabilites.

code_burgar
  • 691
  • 4
  • 6
  • 6
    For *known* (or at least not-unknown) malware that you can guarantee is not VM-aware, a VM is probably the safest and most flexible way to investigate it. – pdubs Mar 09 '12 at 14:04
  • @pdubs not-unknown...great, add that to the list of known, known unknown, unknown unknown... – Ben Brocka Mar 09 '12 at 15:34
  • True, [virt-what](http://people.redhat.com/~rjones/virt-what/) as an example that it is indeed possible to detect VMs. Specific behavior is just the next logical step. – ordag Mar 09 '12 at 16:31
  • 1
    @BenBrocka I was thinking that a "not-unknown" malware would be something like "new Vundo variant", where it would be reasonable to assume that a VM-aware component has not been added. It's a situation where you know what it does, but not how it does it. – pdubs Mar 09 '12 at 16:44
22

I have not yet seen any in-the-wild malware that was designed to infect a host machine from within a VM. I expect that most malware simply wouldn't care whether it is running on the bare hardware or within a VM since it can achieve its goals equally well in both cases. It's probably safe to assume that malware won't escape a VM simply because it has no incentive to do so.

There are tools designed for containing and analysing malware and lots of information available on how to do this. Also a couple of papers with techniques and tools.

Ladadadada
  • 5,203
  • 1
  • 26
  • 42
  • 14
    There is malware that will change its behavior if it detects it is being run from a VM. Currently, this is not known to be used to escape the VM. Rather, it is used to thwart attempts at analysis by researchers who would use the VMs for that purpose. @code_burgar has addressed this some. – Iszi Mar 09 '12 at 13:47
  • http://www.immunityinc.com/documentation/cloudburst-vista.html – devnul3 Mar 09 '12 at 15:58
  • You don't see any benefit from being able to escape from a VM and infect the host OS? Considering that many people are using VMs to browse unsafe sites on their main machines, and the VMs don't have sensitive information but the hosts do? One step more evil, my friend... – devnul3 Mar 09 '12 at 16:10
  • @devnul3 You seem to have missed the "*in-the-wild*" qualifier at the start of my answer. I know it's *possible* to escape a VM and I can certainly think of reasons malware might want to, but *most* malware is concerned with other things such as sending spam and stealing credit card numbers. I do think we'll see more malware in the future that does care, however. As Iszi said, malware authors care about malware analysers. – Ladadadada Mar 09 '12 at 16:22
  • @Ladadadada My point (which granted I didn't explicitly state...) was that I have seen malware in the wild based on that prototype, rather a lot of it in fact. It's very subtle, but it very definitely exists. Apparently, YMMV... – devnul3 Mar 12 '12 at 07:19
17

Yes, if you strictly bond yourself to some (absolutely sane) security rules:

  1. Use a completely different operating system for the host and for the guest. For example, malwares which will infect your Windows guest are unlikely to infect or even attack your Linux host.

  2. Do not use similar operating systems on your network than the guest. Again, your Windows guest could be infected, but an OpenBSD is highly unlikely to be attacked by any malware.

  3. Use common sense. The goal of the virtualized system should be entirely to be infected. Do not use the infected system, for example, to your online banking operations.

  4. Know your limits. This is extremely important. Whenever it is suspicious that other malware appeared on your system than the specific malware under investigation, immediately finish your experiment, and start over.

The first two points of the list will - certainly - almost guarantee that a security flaw in your virtualization system wouldn't harm your other machines.

vakufo
  • 279
  • 1
  • 4
3

VM and a debugger is the best non-professional option you have.
AV companies usualy use a sandbox to analyze the behavior. If you search you will find applications like this.

vlg789
  • 131
  • 1
2

The only possible way might be exploiting a bug within the VM software because everything the VM does is catching events like I/O and hand it over to the host machine. If your vendor didn't take care about bufferoverflows here and there, you probably could execute hazardous code on the host machine. BUT! I'm actually not 100% sure.

Andre
  • 221
  • 1
  • 5
1

If you are working on linux like ubuntu or debian there is a great sandbox named limon sandbox.The paper can be found here https://www.blackhat.com/docs/eu-15/materials/eu-15-KA-Automating-Linux-Malware-Analysis-Using-Limon-Sandbox-wp.pdf and if you want a good explanation for installation then please follow here http://malware-unplugged.blogspot.in/2015/11/setting-up-limon-sandbox-for-analyzing.html

ashish
  • 127
  • 1
  • 6
1

I just want to add an information to make you more be careful of this issue than other answers (without diminishing their value) outlined.

A researcher said:

Companies and administrators tend to trust that breaking out of a VM is not possible. A lot of people consider this to be just another proof-of-concept. They don't understand that is a commercially available exploit.

The subject is so serious that commercial tools such as this one have already been developed in the past for this purpose.