You are not logged in.
I want to start getting involved with malware analysis and i'm not sure about how this would affect my other drives/distros on my computer.
I'm setting up a new build that will have two drives, one which will be just for my main distro, and the second will hold distros for experimenting including a distro dedicated for malware analysis.
Would encrypting all of the partitions on each distro be enough to make this secure, or should I have a third drive just for malware analysis and disconnect all other drives when running it?
Thanks
Last edited by gribblygook (2019-08-08 21:40:17)
Offline
Personally, I would have a dedicated machine that was airgapped. Don't inadvertently contribute to the problem you are trying to study.
Offline
Would encrypting all of the partitions on each distro be enough to make this secure
Secure from what? Reading and stealing your data? Sure, it'd be pretty secure: as secure as your encryption method. Secure from being over-writen / destroyed? No, not in the slightest - it should be obvious that encryption does nothing to protect from this risk.
"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" - Richard Stallman
Offline
If you don't want to analyze sandbox escape malware (very unlikely), i think virtual machines are safe enough
Last edited by Skunky (2019-08-07 01:38:57)
Offline
Assuming malware properly and honestly identifies its intended purpose ...
"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" - Richard Stallman
Offline
Assuming malware properly and honestly identifies its intended purpose ...
That's true but finding a working exploit for an up to date hypervisor it's kinda hard i guess, because of the reward such exploits can offer
Offline
Of course an dedicated airgapped machine would be best but I don’t have the money for a second computer as I’ve just spent money on a computer
So if I wasn’t analysing sandbox escape malware, kept VM’s updated would the following be acceptable, is there anymore I could do to be safe?
Uninstall any networking/wifi libraries in analysis distro
Unplug other drives
Use VM
Disable Network adapter in VM
Offline
Virtual Machines were not at the start of this discussion. They were suggested as an alternative to unplugging other drives. So if you are unplugging other drives, I don't think a VM would add any more protection on top of that.
"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" - Richard Stallman
Offline
Mind you that if the malware manages to infect the EFI, you're fucked, no matter whether you unplug the drive - you still plug it later.
A VM can protect from that as long as the malware is not able to break out of the VM - in that case you're fucked again, because the malware then infected access to the host system (and pot. the EFI)
It all really boils down to what kind of malware you expect to deal with.
Using a VM is very cheap & convenient (because you can easily reset the VM after the infection) BUT the malware must not be able to break out of the VM.
Also: since this is a very popular way for malware testing, better malware will detect the VM and deactivate itself.
Unplugging the other drive (or rather disabling it in the EFI being more convenient) protects the host/other OS BUT malware must not be able to infect/control the EFI.
Network specific malware will likely require a virtual network, ie. you want to be able to fake the home server to talk to the malware in its expected way.
Online
Thanks for the help and advice
Offline