Ask HN: Is it recommended to use a secondary laptop for malware analysis?

[halpme]

I picked up a copy of "Practical Malware Analysis" to get started with malware analysis and reverse engineering. One concern I have, especially after reading the VM setup chapter, is doing malware analysis in a VM on a primary computer. Apparently malware can detect if its running in a virtualized environment, and try to exploit any vulnerabilities to escape it's sandbox to infect the host system.

Now, I have a fancy $2300 MacBook Pro, and I'd be devastated if I messed it up by being careless. I was considering picking up a used Thinkpad for like $150, maybe installing a small SSD and upgrading RAM. Total cost would be more or less $300 and a peace of mind not caring if the laptop gets killed or screwed up.

I want to hear some insight from experienced folks about their thoughts on the topic, if its worth getting a secondary laptop or if I'm being paranoid and can safely run all malware in a VM on my MBP. Thanks!

[brudgers]

For malware analysis, I'd definitely look at computers as cattle rather than pets...I guess I'm leaning that way in general.

One way of approaching it though is to swap out SSD's. Turn the box off, pull one put in another and [assuming there is only one persistent storage device] it's a whole new computer. For a lot of tasks, swapping state could probably just be thumb drives. For many tasks, 16G or even 8G is going to be plenty for Linux, tools, and the object of interest. Those run about $8 in bulk these days.

Build a standard tool image; store it on the Mac and burn it onto thumb drives asynchronously. When a new project comes along, pop one into the second machine; load in the malware; and have at it. Don't even need a VM.

Good luck.

[akg_67]

You can minimize the attack methods/surface but you can't eliminate it completely. There is no fool-proof way that will work in all situations.

- Malware in VM has potential of migrating to host.

- Malware on a network connected separate hardware system has potential of migrating through network.

- Malware on a stand-alone separate hardware system has potential to migrate through external media (USB key/disk) exchange between the two systems.

As you are starting to learn, you most probably will be learning with known malware. As long as you are not analyzing malware that is known to escape from VM to host, you most probably be better of starting with VM for analysis.

When learning a new topic, it is better to get started quickly rather than focusing on finding the perfect setup.

[seanwilson]

Could you run your experiments on something like AWS EC2 or Digital Ocean? Likely cheaper and they're easy to start from a clean slate.

[brudgers]

Mightn't VM aware malware become aware of the VM and behave differently?

[seanwilson]

Most likely. What would be the plan for how to quickly reset the state of the malware laptop though?

[brudgers]

See the approach outlined in my direct response to the OP.

[tracker1]

Doing analysis on an external drive from where it wasn't run is probably a good idea.. there's always risk though. That said, I'd invest in an external usb3/thunderbold sata3 drive reader, so you can run on the thinkpad, then read the drive on the analysis machine.

ymmv, ianal, etc...

[wprapido]

yeah, having more laptops for various purposes (malware analysis) is always a good idea