Malware Lab Setup for Dynamic AnalysisDynamic malware analysis requires a safe and isolated environment to run the malware in. One of the cheapest, safest and most flexible options is a virtual machine like VMWare or VirtualBox. Those are able to reset the system to a clean state once you are done with a sample or want to start over with the same sample.
If you want a free VM solution, download
VirtualBox. Otherwise obtain a
VMWare license. I will be discussing VirtualBox from now on. However, VMWare is not much different and you should get along with the instructions as well.
1. Choosing the Operating System for the VMNext you need to install an operating system for your VM. Maybe you have not many choices available, but if you have, keep in mind:
- A vulnerable system is good for dynamic analysis, because you want to observe the malware while it is doing its thing, e.g., Windows XP is a good choice for 32-bit malware.
- Some analysis tools are very old and have problems with newer systems (e.g. OllyDbg runs best on Win XP), so prefer an older system if you have the choice.
- 64-bit malware will only run on 64-bit systems. 32-bit executables run on both 32- and 64-bit systems. So if you have the choice, e.g., between Win7 32-bit and Win7 64-bit, choose the latter.
Of course you can install several analysis machines with different operating systems to choose the one that suits your needs best.
2. Creating the VM- Install VirtualBox and open it on your Host system.
- Click New to create new VM.
- A dialog will open, enter the correct OS and a name for your VM.
- You will be asked to specify the hardware settings. You can use the default settings, but you want to make your VM less detectable by malware, set the following:
- at least 2 processors
- at least 20 GB HDD (use dynamic allocation)
- Click Create.
- Go to the settings of your newly created VM. In the display settings uncheck 3D Acceleration and 2D Video Acceleration
Your VirtualBox screen will look as follows:
3. Install the Operating SystemRun the analysis VM. You will be asked for the medium to install the OS from. If you have a CD or DVD, put it into your computer and choose the right drive. If you have an .iso file click on the folder icon to navigate to the ISO image.
Press Start and follow the prompts for installing the OS. If prompted for entering a username, please do not use your real name! Any information on that analysis machine might be sent away by malware.
Note: With VMWare you don't have to go through the whole installation process of Windows. It is able to throw you right into an installed operating system after choosing your image, which saves a lot of time in the creation of new VMs.
Activate Windows once the installation is done.
Do
not install VirtualBox Additions at any point or your VM will be more vulnerable for exploits that enables malware to run code on the host system!
4. Network SettingsIt is important that you isolate the network of the VM, because some samples can infect other machines over the network. Preferably you should have no network connection at all.
Some samples need a connection, because they use the internet to download additional malware or to communicate with Command and Control servers. If you want to analyse this behaviour, examine the malware first to see what it would probably do with Internet access. Only activate the Internet connection if you feel confident that the risk is minimal.
If you set an Internet connection, configure your VM to use NAT.
The host system will act as a router in NAT mode.
(figure from kernelmode.info)Alternatively you can fake the Internet by setting up InetSim on another VM that you will use to connect your analysis VM to:
http://www.inetsim.org/I will not go into depths with this here, though.
5. Programs to Install on the Analysis SystemAt first create a snapshot of the plain system. Then you should install common non-analysis related programs first. If they need activation, do that. Then create a snapshot of your basic analysis system. I suggest to install the following programs (if possible, I am aware that not everyone has an MS Office license):
- Java Runtime for analysis of malware that needs it
- The most common browsers, Chrome and Firefox, so you can analyse samples that perform changes on them (e.g. adware)
- MS Office to analyse Macro malware or infected emails (don't forget to activate)
- Latest .NET Framework to analyse .NET samples.
- Notepad++ (or another editor with similar capabilities)
- Adobe Reader for PDF samples
- 7zip to extract archives
I suggest you do not install or place any analysis tools for the basic system, but keep them in a folder on your USB stick instead and move only the tools needed along with the sample to analyse. You should also rename all of the tools to something else (on that USB stick), e.g., processexplorer.exe to 123.exe or something that reminds you better of its purpose, but does not contain strings of the original name. Malware often searches for processes or files with certain names in order to kill or delete them. You will avoid this trouble by renaming the files right away.
If some tools need extensive work to set up, do that and create a new snapshot that you name after the tool.
I usually create setups to analyse certain samples, e.g. a setup for .NET sample analysis only with all programs needed on desktop, readily configured and already open. This way you have the least work and only the necessary tools on the system.
