Windows 7 Sandboxie for malware simulating/tracing?

[Chris Glenn]

First I just want to say, I am NOT developing malware.

However, what I am trying to do is be able to run any malware/virus, regardless of how deadly it is in a protected environment so I can trace what it does (well, tries to do) to my system. At the same time it would block and log all commands given by the malware.

I downloaded & installed Sandboxie. Before I try ANYTHING to what I want to do, I wanted to make sure the malware/virus would be completely contained within sandboxie. If it's not, is there another solution to a completly contained envrionment? (other than a virtual machine)

 

[zvit]

Running malware even on a soft virtual machine can have it's risks. The malware may also know that you're on a virtual machine, and you won't be able to analyze it properly. There are many ways to do this. I think you'll find this article interesting:
Chapter 6: Malware Analysis Basics

 

[Chris Glenn]

Thanks for replying.

I didn't know malware could know your running it in a virtual machine. Is it because of the generic driver information?
Thanks for the link! Very informative.

 

[zvit]

Is it because of the generic driver information?

I would doubt that since both guests use the same drivers. The article explains the reason as being a time issue.
In "6.4 Program confinement with soft virtual machines" it says:

Virtual machines implemented in software provide a flexible way to share hardware among multiple simultaneously running operating systems. As illustrated in figure 6.2, one or more guest operating systems run on top of a virtual hardware interface, while a virtual machine monitor program (sometimes called hypervisor) mediates access to the real hardware. Each guest executes at normal speed, except when it attempts to access hardware, or when it attempts to execute certain CPU instructions. These operations are handled by the virtual machine monitor, in a manner that is meant to be invisible to the guest.

The flexibility of soft virtual machines comes at the cost of some software overhead in the virtual machine monitor. In return, they can offer features that are not available in real hardware or in guest operating systems.

Then in "6.5 Dangers of confinement with soft virtual machines" it explains:

The flexibility of soft virtual machines comes at the cost of some software overhead in the virtual machine monitor. In return, they can offer features that are not available in real hardware or in guest operating systems.

In some cases, subtle details may give away that software is running in a virtual machine. For example, a guest with access to accurate time may notice that some machine instructions are comparatively slow. And when one virtual disk track spans across multiple physical disk tracks, disk blocks that are adjacent on the virtual media can be non-adjacent on the physical media, resulting in unusual access time properties.

 

[patcooke]

Regardless of what precautions you take I reckon that you will inevitably suffer from infection. I would always take the additional precaution of making a complete system image using something like Acronis True Image and running a full restore after testing malware.

 

[zvit]

Regardless of what precautions you take I reckon that you will inevitably suffer from infection. I would always take the additional precaution of making a complete system image using something like Acronis True Image and running a full restore after testing malware.

I totally second that. Big anti-virus companies that inspect tens of viruses a day have a whole lab of computers that are dedicated just for that. You will NEVER find pictures of a family trip on those computers! (Unless it's a jpeg with a hidden embedded virus code in it..)

Go buy a second hand cheap computer for that kind of work.

 

[Chris Glenn]

Thanks for all the replies and advice.
I decided that I am going to acquire a cheap PC that I can restore on a dime -- using that to play with some malware I wanted to inspect.