Is it safe to use virtual machines when examining malware?
Are virtual machines safe for this? The answer is the same as for a lot of questions of the form "Is X safe?": no, it's not absolutely safe.
As described elsewhere, bugs in the virtual machine or poor configuration can sometimes enable the malware to escape. So, at least in principle, sophisticated malware might potentially be able to detect that it's running in a VM and (if your VM has a vulnerability or a poor configuration) exploit the vulnerability or misconfiguration to escape from your VM.
Nonetheless, it's pretty good. Probably most malware that you run across in the field won't have special code to escape from a VM.
And running the malware in a VM is certainly a lot safer than installing it directly onto your everyday work machine!
Probably the biggest issue with analyzing malware samples in a VM is that some malware authors are starting to get smart and are writing their malware so that it can detect when it is run in a VM and shut down when running inside a VM. That means that you won't be able to analyze the malicious behavior, because it won't behave malicious when it's run inside a VM.
What alternatives are there? You could set up a sacrificial machine on a local machine, install the malware on there, then wipe it clean. Such a test network must be set up extremely carefully, to ensure that the malware can't propagate, can't spread to other machines of yours, and can't do any harm to others.
References:
Is it safe to install malware in a VM (Summary: "There is no simple answer", and there are some risks)
How secure are virtual machines really? False sense of security? (Summary: there are definitely some risks that could allow malware to escape the VM)
Does a Virtual Machine stop malware from doing harm? (Summary: there have occasionally been vulnerabilities that has enabled malware to escape the VM)
Using a virtual machine is a safer way to study malware than running it on a normal machine - the main reason being that you can wipe and start over from a known fresh image at any time.
Isolation is also key, though - if your virtual machines are connected to your network they will be able to spread malware just as if they were physical machines, so either isolate logically (within the host) or physically (disconnect from the network)
I've seen enough tangential information to believe that some viruses are capable these days of detecting that they are on a virtual machine and alter their behavior accordingly. The example I've heard is that the code will appear benign in the VM and then reactivate and infiltrate when not in a VM.
My recommendation whenever you want to test malware is to play in a cleanroom with disposable equipment. Don't trust the VM to be your barrier - run in a lab where any network you provide is entirely standalone, connected to nothing else. Be sure that any removable memory (USBs, etc) you use is one way only from the outside world in, and when you're done, wipe and reimage the computers you used for testing. Bring everything back to a known good state, don't try to clean up manually.
For the purpose of study, it would probably be quite a lot of fun to try the viruses on both a machine with a vM and a regular bare bones host. I'd probably throw some network monitoring on there, too, to see what the software tries to do over the network.