Beginning Malware analysis

[cyb3rl0rd1867]

I want to get more into malware analysis but there are a few barriers to my getting started. Hopefully someone here can help me out.

1. I use VmWare, when I plug in a flash drive or ipod it sometimes automatically connects to the VM. Not a good thing if you have malware hanging around. How do you make it so they won't(preferably can't) connect to my VM?

2. If the network is unchecked is there anything to worry about? I can't remember for sure but I think there were times when it woke up and it was connected to the network. Any ideas on how to fix that?

3. Is the copying from a host to a guest a security risk?

4. Is it safe to download the malware on your regular computer and then put them in the vm?

Also, if anybody knows of any tutorials on using VmWare to set up a secure environment, or if you have any tips about it please let me know. Thanks!

[kao]

1. See settings for the virtual machine (VM->Settings->USB->autoconnect feature)

2. See settings for the virtual machine. If you don't need the network, just disable network card in VM configuration. If you want to download live malware from VMWare, I'd suggest that you use NAT.

There are 2 risks: you'll run a network worm that will scan your network and try to replicate to all your shared folders; you'll run password stealer that will upload all your passwords from guest OS to some malicious server. Therefore, always use different user names and passwords for guest OS, including the administrator password. Never use guest OS for checking your real mailboxes, IM, and other stuff where passwords are involved. Also, make sure that there are no writable shared folders on your home network.

3. Copying file from Host->Guest is always safe. Guest->Host is not, especially if you are playing with file-infectors. If you use VMWare Shared Folders (VM->Settings->Options->Shared folders) with write permissions, that content can get infected as well.

4. It is never safe. No matter how many precautions you take, one day you'll make a "small" mistake. Be prepared, have up-to-date backups and plan for action. I'd suggest that you use VM with network connection to download malware, that reduces the risk significantly.

Take care!

[Newbie_Cracker]

if malware has built in AntiVM , then how can i ?

[quosego]

Ah but then you'll just have to crack that. Somewhere it will decide if it's in a VM or not..

[cyb3rl0rd1867]

if malware has built in AntiVM , then how can i ?

Maybe try out a different vm, there are different methods for detecting each one so just because it detects one doesn't mean it will detect them all. On a side not, why did you hijack the thread? if you want a decent answer start a new thread, so everyone will know what you're asking.