
Ask HN: Is it recommended to use a secondary laptop for malware analysis? - halpme
I picked up a copy of &quot;Practical Malware Analysis&quot; to get started with malware analysis and reverse engineering. One concern I have, especially after reading the VM setup chapter, is doing malware analysis in a VM on a primary computer. Apparently malware can detect if its running in a virtualized environment, and try to exploit any vulnerabilities to escape it&#x27;s sandbox to infect the host system.<p>Now, I have a fancy $2300 MacBook Pro, and I&#x27;d be devastated if I messed it up by being careless. I was considering picking up a used Thinkpad for like $150, maybe installing a small SSD and upgrading RAM. Total cost would be more or less $300 and a peace of mind not caring if the laptop gets killed or screwed up.<p>I want to hear some insight from experienced folks about their thoughts on the topic, if its worth getting a secondary laptop or if I&#x27;m being paranoid and can safely run all malware in a VM on my MBP. Thanks!
======
brudgers
For malware analysis, I'd definitely look at computers as cattle rather than
pets...I guess I'm leaning that way in general.

One way of approaching it though is to swap out SSD's. Turn the box off, pull
one put in another and [assuming there is only one persistent storage device]
it's a whole new computer. For a lot of tasks, _swapping state_ could probably
just be thumb drives. For many tasks, 16G or even 8G is going to be plenty for
Linux, tools, and the object of interest. Those run about $8 in bulk these
days.

Build a standard tool image; store it on the Mac and burn it onto thumb drives
asynchronously. When a new project comes along, pop one into the second
machine; load in the malware; and have at it. Don't even need a VM.

Good luck.

------
akg_67
You can minimize the attack methods/surface but you can't eliminate it
completely. There is no fool-proof way that will work in all situations.

\- Malware in VM has potential of migrating to host.

\- Malware on a network connected separate hardware system has potential of
migrating through network.

\- Malware on a stand-alone separate hardware system has potential to migrate
through external media (USB key/disk) exchange between the two systems.

As you are starting to learn, you most probably will be learning with known
malware. As long as you are not analyzing malware that is known to escape from
VM to host, you most probably be better of starting with VM for analysis.

When learning a new topic, it is better to get started quickly rather than
focusing on finding the perfect setup.

------
seanwilson
Could you run your experiments on something like AWS EC2 or Digital Ocean?
Likely cheaper and they're easy to start from a clean slate.

~~~
brudgers
Mightn't VM aware malware become aware of the VM and behave differently?

~~~
seanwilson
Most likely. What would be the plan for how to quickly reset the state of the
malware laptop though?

~~~
brudgers
See the approach outlined in my direct response to the OP.

------
tracker1
Doing analysis on an external drive from where it wasn't run is probably a
good idea.. there's always risk though. That said, I'd invest in an external
usb3/thunderbold sata3 drive reader, so you can run on the thinkpad, then read
the drive on the analysis machine.

ymmv, ianal, etc...

------
wprapido
yeah, having more laptops for various purposes (malware analysis) is always a
good idea

