I would like to know whether there is any way I can run an absolutely unknown executable file without being hacked even if the file contains a lot of malicious code. Is there any program in which I can run it without putting myself in any risk?
Asked
Active
Viewed 1.9k times
4
-
Run it in a virtual machine that you throw away afterwards – paj28 Sep 08 '16 at 14:19
-
does this guarantee 100 percent protection ? what if the vm contains vulnerabilities using which you can smash the parent os – Tomas Sep 08 '16 at 14:21
-
Instead of trying to run it, maybe check it out first.. virustotal.com – HashHazard Sep 08 '16 at 14:22
-
1or malwr.com / herdprotect.com – HashHazard Sep 08 '16 at 14:24
-
2@Tomas - not much guarantees 100% protection. You could run it on an air gapped physical machine. That is safer - but more effort. For most people a disposable VM is a good balance. – paj28 Sep 08 '16 at 14:24
-
Wine is also good for such tasks. It wont break your linux box and it's east to see what changes it did. – Aria Sep 08 '16 at 16:12
-
@Xander thats absolutely something else – Tomas Sep 08 '16 at 16:32
-
my machine is not infected – Tomas Sep 08 '16 at 16:34
-
2I'll just add here that some malware can detect if it's running in a VM rather than a real machine and will not do anything malicious if in a virtual environment for this exact reason. Running in a VM is only good if your VM is built specifically for emulating a real machine to a tee. – sethmlarson Sep 08 '16 at 16:39
-
@Tomas actually read the question that is a dupe. It is exactly what you are asking for. – schroeder Sep 08 '16 at 20:44
-
virustotal.com is a wonderful tool to analyze viruses. It records virus behavior (files opened, etc.) and all. – noɥʇʎԀʎzɐɹƆ Sep 08 '16 at 20:44
-
Try sandbox (http://www.sandboxie.com/). It's free. I have not tested it thoroughly, but it worked for me when I executed malware under it. – Anurag Sep 09 '16 at 05:47
-
Run it at a public computer in the library. – Dog eat cat world Sep 09 '16 at 22:36
5 Answers
6
If you really want the closest thing to a 100% safe way of running malware:
Create an account with Amazon Web Services, fire up a server but don't connect it to anything (read: put it in its own VPC) and do your analysis there. Burn after analyzing.
Side note: there are some pre-created AMIs in the " Ec2 Market Place" that have malware analysis tools loaded on them already if you feel like getting frisky.
HashHazard
- 5,145
- 1
- 19
- 29
-
It's not 100% safe either, you're just shifting responsibility onto Amazon. – André Borie Sep 09 '16 at 22:39
5
does this guarantee 100 percent protection?
No. Never. Never ever ever ever ever. Period.
100% guarantees simply do not exist in the real world. If you wanted an example of what might get close to 100%:
- Buy a brand new machine. Put it on isolated power. Put the executable on it
- Disconnect it from the network.
- Run the program
- Don't look at the results (you might be tempted to act on them, breaking the 100% guarantee. For all you know the results may hypnotize you into murdering your dog)
- Power the computer down.
- Put the computer in a wood chipper
- Gather then remains, and pour them into a steel foundry a. la. Terminator 2
Now there are things you can do to mitigate the risk. Things like running it in a VM (such as the Amazon Web Service Hollowproc recommend) are powerful tools for strongly mitigating the risk. Wiping the harddrive after use is helpful too. However, there is no 100% guarantee.
For an example of this, consider Stuxnet. Stuxnet is infamous for attacking a nuclear enrichment facility across an airgap! It wasn't easy, but it did happen.
A better solution would be to not open a file if you can't say anything about how safe it is.
Cort Ammon
- 9,216
- 3
- 26
- 26
1
Another thing to consider, is whether this program will attempt to replicate, leak data, or do other damage over the network. To prevent that from occurring, I would recommend using a Virtual Machine. Take care to remove host access (or sometimes called host / guest file sharing) and remove any virtual networking interfaces before running the program in the VM. Good VM hypervisors should give reasonable protection to the data and hardware on the VM host, but if you're really worried about that, consider running it in a VM on dedicated, non-networked VM host.
Also check out sandboxie, it's basically intended for running untrusted programs in isolation. This does not prevent the program from making network connections though.
1
Barring NSA-level attacks that alter hard drive firmware and the like, there is a relatively simple and cheap solution.
- Buy an extra hard drive that include some sort of free "clone" or "migration" software, or a linux "repair" bootable thumb drive.
- Clone your system's hard drive to the new drive then unplug the new drive.
- Unplug the internet source (router, modem, etc) to stop exfiltration
- Install/run your un-trusted EXE as much as needed.
- Reboot and wipe the main hard drive from a bootable thumb drive.
- Clone the copy back to the main box and reboot.
This lets you run code in your normal setup, locally (w/o net), and be rest assured that no harm will come to your machine or data. You could still get hit with a targeted attack that uses something like fan-based exfiltration, but if you're just worried about ransomware, spyware, or a virus, the copy and restore method is very effective.
Use this routine on an extra $100 computer (refurb on newegg or ebay) if the EXE needs internet.
dandavis
- 2,693
- 10
- 16
-
2
-
@DavidAndersson: consider that "and the like": see the "serenity prayer". – dandavis Sep 09 '16 at 12:24
-
Okey. I thought unplugging the original drive was for preventing this type of attack. Can one clone the bios? – David Andersson Sep 09 '16 at 20:38
0
You cannot.
If you use OS-level virtualization solution (sandboxes, containers, selinux), the malware can use local privilege escalation exploit. If you use hardware virtualization the malware can exploit vulnerabilities in the hypervisor (and other underlying software including OS, bios and firmwares (a lot of devices have firmwares flashable, this allow creation of extremely persistent rootkits)) and fault injection like RowHammer. If you use an emulator, the malware can try to exploit a vulnerability in the emulator.
So you need a separate physical machine and if you need to analyse binaries automatically you need the software on the analysing machine to be not vulnerable.
Now forget everything written above because it is not a real life scenario (unless you are high-value target for intellegence agencies). A hardware virtualization solution (for example QubesOS) should be enough, if you cut it from devices (no OpenGL passthrough, no PCI passthrough, no USB passthrough, no access to storage, etc ...)
KOLANICH
- 912
- 6
- 14