I am pursuing malware research and am wondering what are the best practices for building safe VM's to contain the code while disassembling it. So far:
- Each instance for examining the code is housed in a seperate VM with host-only network support to prevent hostile code from escaping the VM.
- Each VM is fully patched and has a minimal attack surface by excluding all unnecessary software/services.
What other steps should I take to isolate the VM's or harden the VM's ? The VM's are Win XP and Win Vista.
Thanks
Best Answer
What you are looking for is a malware sandbox, not a honeypot.
I would recommend having the host machine be a different OS than the sandbox. For example, run Linux on your VM, then run the malware in a Windows installation inside the linux VM. It would be shocking if the Windows malware infected the Linux box.
There is actually an open source system called Zero Wine you could take a look at.
Its sole purpose is to help people analyze malware in a contained environment.
There are some commercial products such as Norman Sandbox Analyzer that might be viable as well, depending on your budget.