Put Malware In My Lab...safely?

There are some excellent online resources describing how to put together basic malware analysis labs. I won’t rehash that content here.

One thing that seems to get breezed over or is missing entirely from a lot of the “How To Build A Malware Lab” articles, is how to safely get malware samples on to the ‘Victim’ VM without exposing the host to potential infection.

I want to walk through the options and look at the potential problems.

If you aren’t familiar with building a malware lab, please check out these excellent resources:

• @ramospablo has a good article on the value of a malware analysis lab and how to build one up on medium.

• @malwaretechblog thoroughly describes the key components of a free malware lab on his blog

• @malwareunicorn provides an introduction to reverse engineering (malware) and even provides the VMs needed to complete her course

In terms of getting samples to the Victim VM, @MalwareTechBlog briefly mentions avoiding USB drives to transfer samples, and @MalwareUnicorn’s course is set up for hypervisor copy/paste to get samples from a host machine to a guest VM – however, she is using known samples that do not attempt VM escapes.

I want to cover the potential methods for file transfer here. Trying to find a balance between convenience and security.

Host-to-VM File Transfer Options

From most to least convenient:

• Hypervisor Tools - Whether VMWare or VirtualBox or another hypervisor, bidrectional copy/paste (and drag/drop) is likely a supported feature. The is probably the most convenient method, but I worry about VM escapes. These are edge-cases maybe, but I still worry. Having to rebuild my host machine is a headache I don’t want.

• Hypervisor Shared Folders – Slightly less convenient than copy/paste, but still pretty easy. As long as the share is configured to be read-only from the Victim VM(s) - this might be OK, but exposing the host filesystem at all makes me nervous. In order for shared folders to work, Hypervisor Tools will need to be installed.

• SCP/[TS]FTP - Pushing samples via network protocols from host to guest seems relatively safe as well. A TFTP server on the Guest, and client on the host would be enough and perhaps the least effort to configure. But having an SFTP client, carefully configured to autosync in one direction only would be more convenient.

• Mount a USB – If a USB drive is exposed to an infected machine (VM or otherwise), I wouldn’t ever want to connect that to my host again. Just skip this option all together.

• Mount ISO - Building an ISO (imgburn), mounting a ‘CD’ to the Victim VM, and copying the files seems far less convenient than copy/paste - granted. But, it is a one-way file transfer - and doesn’t expose the host to anything running on the VM. ImgBurn allows ISOs to grow beyond the typicaly physical CD/DVD size limits. As long as the Guest VM can read the ISO, quite a large malware collection could be stored and used this way.