Dynamic analysis of malware samples

Question

I have thousands of Linux malware samples in ELF format. And I am thinking to use dynamic analysis (say, PIN) to obtain an execution trace of each malware sample.

However, I am afraid such activity would crash my computer. So am I asking, how to dynamically analysis malware samples safely?

I know somehow I need to run it in a VM, but isn't it possible that the VM can be crashed as well? Should I reinstall the VM at that time? basically What's the best practice to do so?

Thank you a lot.

See Malware in virtual machines. – Jason Geffner Mar 02 '16 at 14:55 — Jason Geffner, Mar 02 '16 at 14:55

score 5 · Accepted Answer · answered Mar 02 '16 at 15:41

5

configure the VM with no access to network and create a clean snapshot before executing the first malware. Once the execution is complete revert the snapshot. Repeat that till you finish. (probably wanna automate it)

answered Mar 02 '16 at 15:41

GelosSnake

712
3
7

score 3 · Answer 2 · answered Mar 03 '16 at 08:29

It is very unlikely that the VM application can be crashed unless you are dealing with very sophisticated ELF malwares targeting your VM version. The guest OS or the environment inside the VM can be crashed though. In the event that it happens, you don't have to reinstall VM. Just follow SnakeByte instructions.

Dynamic analysis of malware samples

2 Answers2