You are not logged in.

#1 2019-08-06 17:03:12

gribblygook
Member
Registered: 2018-08-12
Posts: 23

[SOLVED] How to securely use a distro for malware analysis

I want to start getting involved with malware analysis and i'm not sure about how this would affect my other drives/distros on my computer.

I'm setting up a new build that will have two drives, one which will be just for my main distro, and the second will hold distros for experimenting including a distro dedicated for malware analysis.

Would encrypting all of the partitions on each distro be enough to make this secure, or should I have a third drive just for malware analysis and disconnect all other drives when running it?

Thanks

Last edited by gribblygook (2019-08-08 21:40:17)

Offline

#2 2019-08-06 18:03:35

jasonwryan
Anarchist
From: .nz
Registered: 2009-05-09
Posts: 30,424
Website

Re: [SOLVED] How to securely use a distro for malware analysis

Personally, I would have a dedicated machine that was airgapped. Don't inadvertently contribute to the problem you are trying to study.


Arch + dwm   •   Mercurial repos  •   Surfraw

Registered Linux User #482438

Offline

#3 2019-08-06 23:16:38

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,442
Website

Re: [SOLVED] How to securely use a distro for malware analysis

gribblygook wrote:

Would encrypting all of the partitions on each distro be enough to make this secure

Secure from what?  Reading and stealing your data?  Sure, it'd be pretty secure: as secure as your encryption method.  Secure from being over-writen / destroyed?  No, not in the slightest - it should be obvious that encryption does nothing to protect from this risk.


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#4 2019-08-07 01:38:44

Skunky
Member
Registered: 2018-01-25
Posts: 230

Re: [SOLVED] How to securely use a distro for malware analysis

If you don't want to analyze sandbox escape malware (very unlikely), i think virtual machines are safe enough

Last edited by Skunky (2019-08-07 01:38:57)

Offline

#5 2019-08-07 01:47:00

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,442
Website

Re: [SOLVED] How to securely use a distro for malware analysis

Assuming malware properly and honestly identifies its intended purpose ...


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#6 2019-08-07 02:09:41

Skunky
Member
Registered: 2018-01-25
Posts: 230

Re: [SOLVED] How to securely use a distro for malware analysis

Trilby wrote:

Assuming malware properly and honestly identifies its intended purpose ...

That's true big_smile but finding a working exploit for an up to date hypervisor it's kinda hard i guess, because of the reward such exploits can offer

Offline

#7 2019-08-07 12:08:47

gribblygook
Member
Registered: 2018-08-12
Posts: 23

Re: [SOLVED] How to securely use a distro for malware analysis

Of course an dedicated airgapped machine would be best but I don’t have the money for a second computer as I’ve just spent money on a computer sad

So if I wasn’t analysing sandbox escape malware, kept VM’s updated would the following be acceptable, is there anymore I could do to be safe?

Uninstall any networking/wifi libraries in analysis distro
Unplug other drives
Use VM
Disable Network adapter in VM

Offline

#8 2019-08-07 12:37:05

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,442
Website

Re: [SOLVED] How to securely use a distro for malware analysis

Virtual Machines were not at the start of this discussion.  They were suggested as an alternative to unplugging other drives.  So if you are unplugging other drives, I don't think a VM would add any more protection on top of that.


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#9 2019-08-07 13:45:30

seth
Member
Registered: 2012-09-03
Posts: 49,972

Re: [SOLVED] How to securely use a distro for malware analysis

Mind you that if the malware manages to infect the EFI, you're fucked, no matter whether you unplug the drive - you still plug it later.
A VM can protect from that as long as the malware is not able to break out of the VM - in that case you're fucked again, because the malware then infected access to the host system (and pot. the EFI)

It all really boils down to what kind of malware you expect to deal with.

Using a VM is very cheap & convenient (because you can easily reset the VM after the infection) BUT the malware must not be able to break out of the VM.
Also: since this is a very popular way for malware testing, better malware will detect the VM and deactivate itself.

Unplugging the other drive (or rather disabling it in the EFI being more convenient) protects the host/other OS BUT malware must not be able to infect/control the EFI.

Network specific malware will likely require a virtual network, ie. you want to be able to fake the home server to talk to the malware in its expected way.

Online

#10 2019-08-08 21:39:59

gribblygook
Member
Registered: 2018-08-12
Posts: 23

Re: [SOLVED] How to securely use a distro for malware analysis

Thanks for the help and advice smile

Offline

Board footer

Powered by FluxBB