How do you investigate potentially malicious Web page code without infecting yourself?
As a computer security defender, I’m often in a position where I need to investigate a potentially malicious Web link. Maybe it arrived as a really legitimate-looking phish e-mail, in a new exploit announcement, or within embedded codes of some other media. Either way, either I’m not sure whether the link is really malicious or I’m sure the link is malicious, but I want to view the source or intended download.
The quickest investigation method -- but probably the least secure -- is to run an alternate browser that is not normally capable of automatically executing the malicious link or malware. For instance, because most browser threats are made for Microsoft’s Internet Explorer, I often use Mozilla Firefox or another browser. This usually works, but you never know when your alternate browser will be just as exposed to the malicious link or program that you are exploring.
Surprising to many people, Firefox has had just as many separately announced vulnerabilities as Internet Explorer throughout the past two years. It is not uncommon that a vulnerability announced for one affects the other; in fact, it happened last week (check out this advisory for Firefox and this one for IE). Although the malware I’m investigating can usually be run more safely in Firefox, I’m always aware that I'm taking a risk.
In that vein of thought, I often run less-popular browsers when investigating malware to decrease my chances of unintended malware activation. The Opera browser is a good choice with a multitude of platforms from which to choose -- Windows, Linux, BSD, Solaris, and so on -- and a much lower rate of announced exploits. Linux Konqueror is another safer browser choice.
Apple Safari’s three announced exploits makes it a viable choice, too. The only problem is you have to run OS X to get Safari. Some of the underlying open source components are available on other platforms, but Safari, itself, remains closed-sourced.
Malware analysts often prefer the even safer text-only browser Lynx. Its multiplatform support (DOS, Windows, Linux, VMS, and so on), cost (free), and lack of features often make it a smart and safe choice. Despite all this, it still frequently astounds me that even Lynx is susceptible to exploits -- including one buffer overflow.