AFAIK all the issues you're going to run into will be browser related.
Sometimes malicious sites will behave differently based on your browsers UserAgent. If you are using Firefox, there are some great plugins that let you spoof the user agent in order to make malware sites think you're coming in via IE on a windows box. Further, some malware sites will try to exploit ActiveX or other 'IE-Only' functionality which you'll have a hard time working through without an actual machine to infect.
A mitigation to these issues is to actually run an instance of Windows as a guest to your linux host using virtual machine technology (ex. VMware, Bochs, QEMU, VirtualBox, etc). Ideally you will install your virtual machine, install all your analysis tools, patches, etc and take a snapshot or backup. You will revert back to this backup (also known as you 'clean state') after each case. You need to be careful with your network configuration though-- the machine will need internet access and thus will have to be on your network. I suggest that you configure your firewall to prevent this system from talking to any other machine on the network (you can firewall machines or put it on a seperate subnet..) On the subject of networking, you should never leave a case open-- if you need to take a break, either use state suspend feature or turn the virtual machine off and try again when you have more time. If you get owned, you don't want to let the "bad guys" use your network resources.
The advantage to having a windows guest on a linux box is to try and mitigate against an unlikely scenario where some 0day will be vm aware, notice that you're using vmware (for example) and use a 0day vmware exploit to gain remote code execution rights on the host which it will then infect. People constantly talk about this scenario, but i'm yet to find a single sample that attempts this. The closest i've gotten is malware that will behave very differently on virtual machines in order to thwart analysis.
The very last point i'd like to make is analysis tools. Most malware today is written for win32. Most analysis tools (disassemblers, debuggers, memory dumpers, packer detection, etc etc) run in windows only... So you may want a windows box to do analysis if you intend on doing more than just collecting the stuff. I suggest you create another snapshot or virtual machine profile for analysis. Ideally your analysis machine will not be network-enabled at all (you can always drag/drop or copy paste files in and out of guest machines).
TJS
DISCLAIMER: This is just my personal advice on how to set up a slightly more secure malware collection/analysis environment than the one you have today. Don't blame me if you get owned or if anything bad happens to you. You really shouldn't play around with this stuff.. No one should.
Topic: Using Linux (Read 9432 times)
