If you don't want to press your luck with a less-used browser, many browser analysts use Web-based services that extract link information and source code and display it as data, decreasing the likelihood of it being executed. Wannabrowser and Web-Sniffer are great proxy agents for that type of code review. Just plug in the suspected link and the resulting HTML code will be displayed safely on your screen as text data. As far as I can tell, cross-site scripting attacks and the like don’t work using these services.
But any time you peruse malicious code or links through an online browser, you risk the possibility of accidentally executing remote malicious code. Many researchers, including myself, download the links and code using nonbrowser tools and open the resulting content in harmless text editors such as Microsoft’s Notepad, Unix’s Vi, or Linux’s Kedit programs.
Wget is an excellent HTML content downloading tool for doing just that. It runs in both Linux/Unix and Windows as a command-line tool. Running wget –r <url>, where <url> is the Web site address, Wget will download the entire Web site -- graphics and all -- to your local disk, where it can be examined in a text editor.
The safest and my recommended method for testing Web code, however, is to use a virtual machine. There are several virtualization software programs out there, including VMware, Virtual PC, Xen, and even User-Mode Linux.
Because all virtualization software can be detected and circumvented back to the host, it’s probably better to run VM software on a nonproduction machine when investigating malware. Still, even running a VM on your primary machine is preferable over blindly running malicious links on your host operating system.
VMs emulate your host environment as closely as they can. When clicking on malicious links or running malware, all the bad stuff executes in the virtual environment. In most cases (you can never be sure without a full malware code review), the malicious software's attempts to modify the local machine only alter the VM environment. Don’t like what it did or not sure what it did? Just reset the VM and voila, it’s like it never happened.
Even when running malware in a VM environment, you still need the tools that allow you to analyze the malware forensically. That means using one of the previously mentioned Web source code review tools or running other tools to look for system modification (such as Tripwire) or Sysinternals’ Regmon or Filemon.
When using VM environments, you still need to take special care to contain any malicious code or behavior within the VM environment. For example, if you run a network-based worm, it will still be capable of using the VM’s networked resources to spread beyond the VM environment, unless you disable networking or use an offsetting defense.
Of course, when analyzing malware, the investigator should use appropriate caution. But any of these methods beats clicking on the malicious link or content in IE and hoping nothing happens.