From the day I started writing web logs (blogging), I always test and make sure that the article I post is truly working at that time. The testing and analysis are done on my desktop computer that is installed with either Windows XP or 7. Every time when I need to test something new and requires a clean Windows installation, I simply do a full restore using the backed up image that I created earlier. This is slightly more time consuming and some people may think that I am stupid to do so because it would probably be easier and faster using virtual machine such as VirtualBox or VMware.
Windows operating system installed in VirtualBox or VMware may look and work the same way as the real windows environment but in fact it doesn’t. First of all is the compatibility issue and here is one example. The upcoming Kaspersky Rescue Disk version 10 is in beta testing and it worked perfectly in VirtualBox but when I burn it to a CD and boot it up on two different desktops, one with older hardware and the other one with newer hardware, both failed to start in graphic mode and spewed tons of error messages in console. Secondly…
Obviously you don’t get the real performance on the software when you are testing it on a virtual environment. You should notice that installing Windows or running a full virus scan on virtual machines takes longer than the Windows installed on the physical hard drive.
Thirdly and most importantly, analyzing malwares and malicious files is something that I love and interested in although I am not working nor affiliated with any antivirus companies. I love to see the techniques that are constantly being improved by malware programmers as they need to always be one step ahead of the antivirus. It is one big mistake to test and analyze malwares in virtual environment because they obviously didn’t know about anti-virtual machine, anti sandboxes and anti debug feature. Some good crypters that can make a malicious file undetectable by any antivirus has the capability to exit the process when it is being analyzed.
For example, if you try to upload it to ThreatExpert and have it analyzed, the report that you get 5 minutes later will not contain anything suspicious and you will end up running it thinking that it is safe. If you try to run it in sandbox such as Sandboxie, you will get an error saying “This program cannot be run in Sandboxes“.
Here are a few screenshot of crypters that has Anti’s feature which bypasses virtual machines, debuggers, online analyzers and debuggers.
As for my case, I dare to run any malicious files on my desktop computer because it is a standalone computer and doesn’t contain any password nor login information for the malware to steal. To see the damage that the malware has done to my computer, I simply need to use a software that tracks file and registry changes such as SysTracer which is a shareware that cost only $29.95 for a single user license. So far everything is good especially using the Windows 7 built-in system image backup.
Related posts:
New generation debuggers coming. At Black Hat USA 2010 Virt-ICE next generation debugger for malware analysis was presented and it is designed to:
address the problems of current malware debuggers. Using virtualization technology, Virt-ICE is totally invisible to malware, thus renders most available anti-debugging techniques useless.
Info Link:
blackhat.com/html/bh-us-10/bh-us-10-archives.html
Thanks Ray.
I also test things on real system and not in a virtual environment.
very interesting article. ive learner a lot from u…thanks
I have been looking for something like this and you’ve made me clear why VM is not like a real machine. Thanks for this post
interesting i like it. as the virtualisation part is itself a part of the base OS so testing on the visualization part will only give a snippet view instead of wholesome view. as perhaps the whole OS mean the base OS cannot be virtualisexd so that is the real answer.
thanks raymond, some nice applications.
Thanks Raymond, I have learned something new, as always.
A really powerful rootkit can make itself invisible to any tracer and even shield its registry/files entries. For example a recently announced technique arstechnica.com/security/news/2010/05/multicore-cpus-move-attack-from-theoretical-to-practical.ars can bypasses any API hooks (legit or not) that is installed on your system.
I’m not surprised or shocked upon reading this. In fact, I’ve had always had the doubt that you have been doing this all along…simply by reading upon your previous articles. No mention at all of those tests being done on a VM.
Anyway, although I’m not a technical expert unlike some others (inc. you Raymond), I too download and install new software for testing purposes (just to feed upon my curiosity, nothing more than that) on my real machine. Admittedly, I do run into problems at times and to make it worse, I don’t do backups diligently. Why not on a VM? Simply for the same exact reasons you’ve mentioned above. A VM doesn’t feel like the same thing at all…
However, so far, I have been lucky. If anything goes wrong, all I do is a mere uninstall (and if need be using Revo uninstaller but CCleaner suffices for me most of the time). If things really gets out of hand, all I do is a System Restore…in fact I depend a lot on it and I must say System Restore in Win7 is way lot better than it had been in XP. I’m saying this out of experience.
Sorry for this long blabber but it strikes me off as a must to comment. After all, it’s quite hard to find a similarity between an intermediate user like me and an expert like you. Glad you wrote this today…kinda sums up and justifies my actions all these while (I’ve been feeling guilty at times for not testing software on a VM)
Wow I had no idea there were such evil applications to hide and obscure author’s code. Sort of an all in one anti decompiler interface.
Time for an Anti-Anti app? – To clean up files you want to pound and hack on, in a VM.
I do get the point of your article however, some hardware like Pro tools interfaces won’t run in a VM. Good luck with a 1394 in a VM for example..it ain’t gonna happen. But I didn’t even consider the anti-reversing aspect.
Wow, I never knew there were so many softwares to bypass sandboxing and vmware… Thnx for the warning!
another thing to consider that would make using a VM not feasible is the sure fact that your antivirus can cause problems when testing things. I used to test things out on VMware for virus until my antivirus kept crashing the VMware (trying to disinfect the virus inside the VMware’s file, caused it to be corrupt). VM’s are great for testing out General things about a certain item (look, feel, speed) but when you need to get down to specifics, they are a complete waste of time.
Although, I do have to say that I can install (on my desktop, not on my laptop though) a Windows OS much faster on a VMware. Mostly because I create *.ISO files of the OS’s that I use for testing or help with some troubleshooting (sometimes I forget where certain files are located xD). Those Anti’s on the Cryptors are the best reason to not use VMware for checking if a file is safe though.
Great info Raymond, thanks !
hmm good one but still i prefer testing on VM’s coz of lack of hardware resources..by the way first one to comment here
;)
Attempted to use MobaLiveCD as you recommended but receive error message that kqemu errored in copy. There is no mention of this file or any other dependent download necessary in your write up that I noted.
This app looked like a good winner but I cannot make it work under Windows-7.
Oh damn, deepfreeze is on that list.
I new vm’s/sandboxie could be detected, so I used deepfreeze to test, fat lot of good that did me it seems :p
very well article…showed there are weaknesses in virtual softwares
Thanks Raymond
Really nice piece of information.
The best feature of your blog is you present vital informations in a very extraordinarily lucid and interesting manner.
Thanks a lot and keep blogging
I really appreciated your hard work Ray, thanks
Excellent article. I concur. I didn’t know about SysTracer, I will try it out.
Thanks for the new point of view. will take that under consideration next time i run Keygen to crack file.
PS.
What about WINE ? did you tested it with any of that encryption tool above ?
A good article Ray
Thanks
this articles helps a lot and updated the knowledge
OK… thanks for it!
U’r doing great ray… Keep up the great job :)
.. and because you do it like that is why i keep coming back to your forum, thats the way to test it, nice point made
thx raymond
Hi, Raymond
Could you tell me how to download those crypters?
Thanks for another nice article Ray. Over the years your work has been much appreciated in making sure that the things you wrote are indeed in working shape.
Just too say this is a site i visit everyday. The articles you write are brilliant. I learn something new everyday from your site, cheers.
“Windows operating system installed in VirtualBox or VMware may look and work the same way as the real windows environment but in fact it doesn’t”
Why it doesn’t same? Is there any specific reason?
Raymond,
Do you think is any kind dangerous for my computer use a VM for testing antivirus softwares using malicious links? I like testing antivirus capabilities but I’m worried that some malware can “jump” from VM to my real HD. Thanks in advance for your answer.
if you have an i7 with 6gb ram and raid 0 vmware workstations is sufficent speedy 4 testing ;)
Nice the “Anti’s feature”, good article…
I always thought that Sandbox cannot be penetrated by malwares but I am wrong. I am now afraid of my PC protection. So is this also mean Flash in Sandbox on Chrome is also not safe anymore..Shit…
I should now try to move on Linux because it didn`t get virus as quickly as Windows. Nice article, can you please suggest us little security tools like Anti-Rootkits, Dialers, Bots etc. Please!!. Thanks for your nice article ones again Raymond. Raymond rocks….
nicely done article , your efforts are always appreciated
Thanx Raymond ! It’s new, fresh & instructive
Thanks Raymonds, you are helping me a lot in my job…. I also love to test malwares…
Cool. but where can i download these apps?
Interesting.
I always thought both are same. Seems like virus/malware programmers are better than rest the rest.