3

I want to try out an OS called "Red Star OS". I want to make it a completely isolated VM, no network connectivity etc., just to explore and take a look at it. I found out where to get it from this article.

I was just curious if it's safe to run in a VM and what I should look out for when doing this.

schroeder
  • 125,553
  • 55
  • 289
  • 326
  • 2
    Considering the source of the ISO, I'd be even more concerned with this ISO than with other ISOs that it is designed to escape the hypervisor. – schroeder Jul 22 '18 at 16:40
  • @schroeder I highly doubt it is designed to escape the hypervisor if it is properly configured. It may, however, refuse to run or change its behavior to make analysis and censorship circumvention harder. I doubt DPRK would want to hand out valuable 0days to all their citizens. – forest Jul 24 '18 at 04:49
  • @forest 1. why are you certain that the ISO that is available outside of the DPRK is the same as they would give their citizens? 2. Distributing 0-days to your adversaries is kind of the point of having 0-days. – schroeder Jul 24 '18 at 07:40
  • #1 is a good point but I think it's unlikely to matter (it would be more stealthy and cheaper to use a browser 0day on the download page), and #2 would imply that they would be distributing 0days to a large number of people in order to attempt to exploit a very small percentage of them, which is especially problematic when this group of people has an above-average knowledge of computing. It would be bad form to distribute a very powerful and valuable 0day on a system that _screams_ "analyze me" to exploit a tiny fraction of the analysts to do what, steal the secrets of American Imperialists™? – forest Jul 24 '18 at 07:51

2 Answers2

1

You cannot be entirely sure it is safe to do so by the simple fact that when you download a potentially infected ISO, it may be enough for the malware to trigger and do whatever damage it's programmed to do on the host system. There are backdoors that may be successfully deployed only by previewing an infected file in thumbnail mode on Windows Explorer.

Now assuming the malware is only in the OS contained in the ISO, I would say that unless it contains specific payloads which would target virtualization software hence escaping VM constraints, you should be fine if you do not enable networking, do not share drives, do not allocate excessive resources and do not give access to peripherals to the VM.

schroeder
  • 125,553
  • 55
  • 289
  • 326
Samuryte
  • 46
  • 3
1

In general, for malware engineers, it is not wise to install malware that touches, in anyway, a production system. If this is your home lab, and your laptop/desktop--consider that machine a production system.

A typical malware set up is to have a "red" network. This is network off the internet, has it's own local switch, dhcp, DNS. Every device on the network can be completely wiped and restored at any time. You can do this with one machine running VM's. See this article (ignore it's suggestion to connect to the internet, in my opinion). https://www.slideshare.net/chrissanders88/cissa-lightning-talk-building-a-malware-analysis-lab-on-a-budget

I can absolutely confirm that issues with malware infected VM's can happen. Granted, you know this one is infected, but a friend at work was working on a training and had an infected VM pushed to his training lab (the company he was training with did not know they had been infected with an eternalBlue of some kind.) Got a call from IT because we had a device (the infected one) scanning our networks for outdated SMB. Very, very bad news.

bashCypher
  • 1,879
  • 12
  • 21