Ask HN: Is it recommended to use a secondary laptop for malware analysis?
I picked up a copy of "Practical Malware Analysis" to get started with malware analysis and reverse engineering. One concern I have, especially after reading the VM setup chapter, is doing malware analysis in a VM on a primary computer. Apparently malware can detect if its running in a virtualized environment, and try to exploit any vulnerabilities to escape it's sandbox to infect the host system.
Now, I have a fancy $2300 MacBook Pro, and I'd be devastated if I messed it up by being careless. I was considering picking up a used Thinkpad for like $150, maybe installing a small SSD and upgrading RAM. Total cost would be more or less $300 and a peace of mind not caring if the laptop gets killed or screwed up.
I want to hear some insight from experienced folks about their thoughts on the topic, if its worth getting a secondary laptop or if I'm being paranoid and can safely run all malware in a VM on my MBP. Thanks!
8 comments
[ 2.9 ms ] story [ 68.8 ms ] threadymmv, ianal, etc...
One way of approaching it though is to swap out SSD's. Turn the box off, pull one put in another and [assuming there is only one persistent storage device] it's a whole new computer. For a lot of tasks, swapping state could probably just be thumb drives. For many tasks, 16G or even 8G is going to be plenty for Linux, tools, and the object of interest. Those run about $8 in bulk these days.
Build a standard tool image; store it on the Mac and burn it onto thumb drives asynchronously. When a new project comes along, pop one into the second machine; load in the malware; and have at it. Don't even need a VM.
Good luck.
- Malware in VM has potential of migrating to host.
- Malware on a network connected separate hardware system has potential of migrating through network.
- Malware on a stand-alone separate hardware system has potential to migrate through external media (USB key/disk) exchange between the two systems.
As you are starting to learn, you most probably will be learning with known malware. As long as you are not analyzing malware that is known to escape from VM to host, you most probably be better of starting with VM for analysis.
When learning a new topic, it is better to get started quickly rather than focusing on finding the perfect setup.