Quote Originally Posted by VirusBuster View Post
... I only disagree in one thing: if you are going to use VirtualBox for malware analysis, why to use it under Linux if VirtualBox for Windows exists? ...
I understand your veto on that. Actually it's (nearly) perfectly fine if you use Windows as the host-system. The fundamental concept behind Minibis furthermore gives you free decision in all of it's components, so, also in this. However, having said this I still would recommend to have another OS as host (might also be Mac OS), just massively reduce the risk that if something escapes that it will find its native environment again. You can take the following scenario as an example:

Usually you have networking capabilities in your malware lab environment. That's a must as you want to know what the sample is trying to do over the net. Under the forensical aspect to not unnecessarily add software to the samples playing field you usually position you network-monitor (sniffer) outside of it. So if you have the typical scenario of a host and a guest (in VM-jargon) your sniffer would sit on the host. The network in that scenario is definitely the place of the highest risk for anything to escape. So if you analyse samples like Conficker (and so on) which try to spread themselves over network you're in a very bad situation if you have Windows as host system, especially if it's an unknown sample that might have some rpc-zeroday-exploit-payload onboard. In the worst case it would infect your host, which wouldn't even be the fault of the VM-solution.

To stay on this rpc scenario: that's also a point for sandboxes. Sandboxes do hook (and so on) more or less of the OS' functionalities to hinder a process from attacking un-sandboxed components including inter-process-communication (rpc, pipes, mailslots, ...). But the network communication is usually not "influenced" as sandboxes' primarily goal is to have a prophylaxe against infections during surfing and emailing, in other words, during internet-communications. But, all this techniques (rpc, pipes, mailslots) I mentioned above are done via "cable". So it's easy to circumvent the sandbox by implementing them directly in the malware and not calling the according OS-functionalities which are controlled by the sandbox.

So, as a ... résumé: If you're about to lock up an alien from planet "Nitro" and you know that it needs pure nitrogen for breathing wouldn't it be smarter to surround its cell with pure oxygen that nitrogen?

Cheers,
chrisu.