Author Topic: Malware Lab Setup for Dynamic Analysis  (Read 2119 times)

0 Members and 1 Guest are viewing this topic.

Offline Deque

  • P.I.N.N.
  • Global Moderator
  • Overlord
  • *
  • Posts: 1203
  • Cookies: 518
  • Programmer, Malware Analyst
    • View Profile
Malware Lab Setup for Dynamic Analysis
« on: September 24, 2015, 09:06:23 pm »
Malware Lab Setup for Dynamic Analysis

Dynamic malware analysis requires a safe and isolated environment to run the malware in. One of the cheapest, safest and most flexible options is a virtual machine like VMWare or VirtualBox. Those are able to reset the system to a clean state once you are done with a sample or want to start over with the same sample.

If you want a free VM solution, download VirtualBox. Otherwise obtain a VMWare license. I will be discussing VirtualBox from now on. However, VMWare is not much different and you should get along with the instructions as well.

1. Choosing the Operating System for the VM

Next you need to install an operating system for your VM. Maybe you have not many choices available, but if you have, keep in mind:
  • A vulnerable system is good for dynamic analysis, because you want to observe the malware while it is doing its thing, e.g., Windows XP is a good choice for 32-bit malware.
  • Some analysis tools are very old and have problems with newer systems (e.g. OllyDbg runs best on Win XP), so prefer an older system if you have the choice.
  • 64-bit malware will only run on 64-bit systems. 32-bit executables run on both 32- and 64-bit systems. So if you have the choice, e.g., between Win7 32-bit and Win7 64-bit, choose the latter.
Of course you can install several analysis machines with different operating systems to choose the one that suits your needs best.

2. Creating the VM

  • Install VirtualBox and open it on your Host system.
  • Click New to create new VM.
  • A dialog will open, enter the correct OS and a name for your VM.
  • You will be asked to specify the hardware settings. You can use the default settings, but you want to make your VM less detectable by malware, set the following:
    • at least 2 processors
    • at least 20 GB HDD (use dynamic allocation)
  • Click Create.
  • Go to the settings of your newly created VM. In the display settings uncheck 3D Acceleration and 2D Video Acceleration
Your VirtualBox screen will look as follows:



3. Install the Operating System

Run the analysis VM. You will be asked for the medium to install the OS from. If you have a CD or DVD, put it into your computer and choose the right drive. If you have an .iso file click on the folder icon to navigate to the ISO image.



Press Start and follow the prompts for installing the OS. If prompted for entering a username, please do not use your real name! Any information on that analysis machine might be sent away by malware.

Note: With VMWare you don't have to go through the whole installation process of Windows. It is able to throw you right into an installed operating system after choosing your image, which saves a lot of time in the creation of new VMs.

Activate Windows once the installation is done.

Do not install VirtualBox Additions at any point or your VM will be more vulnerable for exploits that enables malware to run code on the host system!

4. Network Settings

It is important that you isolate the network of the VM, because some samples can infect other machines over the network. Preferably you  should have no network connection at all.

Some samples need a connection, because they use the internet to download additional malware or to communicate with Command and Control servers. If you want to analyse this behaviour, examine the malware first to see what it would probably do with Internet access. Only activate the Internet connection if you feel confident that the risk is minimal.

If you set an Internet connection, configure your VM to use NAT.
The host system will act as a router in NAT mode.


(figure from kernelmode.info)

Alternatively you can fake the Internet by setting up InetSim on another VM that you will use to connect your analysis VM to: http://www.inetsim.org/
I will not go into depths with this here, though.

5. Programs to Install on the Analysis System

At first create a snapshot of the plain system. Then you should install common non-analysis related programs first. If they need activation, do that. Then create a snapshot of your basic analysis system. I suggest to install the following programs (if possible, I am aware that not everyone has an MS Office license):
  • Java Runtime for analysis of malware that needs it
  • The most common browsers, Chrome and Firefox, so you can analyse samples that perform changes on them (e.g. adware)
  • MS Office to analyse Macro malware or infected emails (don't forget to activate)
  • Latest .NET Framework to analyse .NET samples.
  • Notepad++ (or another editor with similar capabilities)
  • Adobe Reader for PDF samples
  • 7zip to extract archives
I suggest you do not install or place any analysis tools for the basic system, but keep them in a folder on your USB stick instead and move only the tools needed along with the sample to analyse. You should also rename all of the tools to something else (on that USB stick), e.g., processexplorer.exe to 123.exe or something that reminds you better of its purpose, but does not contain strings of the original name. Malware often searches for processes or files with certain names in order to kill or delete them. You will avoid this trouble by renaming the files right away.

If some tools need extensive work to set up, do that and create a new snapshot that you name after the tool.
I usually create setups to analyse certain samples, e.g. a setup for .NET sample analysis only with all programs needed on desktop, readily configured and already open. This way you have the least work and only the necessary tools on the system.

Offline white-knight

  • Knight
  • **
  • Posts: 190
  • Cookies: 26
    • View Profile
Re: Malware Lab Setup for Dynamic Analysis
« Reply #1 on: September 24, 2015, 09:22:16 pm »
Very awesome  thank you +1   

Offline blindfuzzy

  • VIP
  • Peasant
  • *
  • Posts: 86
  • Cookies: 34
    • View Profile
Re: Malware Lab Setup for Dynamic Analysis
« Reply #2 on: September 26, 2015, 12:15:09 am »
Both of your malware lab setup tutorials are great! I do a little malware analysis here and there at work and it is definitely interesting stuff to get in to.

Offline Trevor

  • Serf
  • *
  • Posts: 39
  • Cookies: 18
  • Coder, Reverser
    • View Profile
Re: Malware Lab Setup for Dynamic Analysis
« Reply #3 on: September 26, 2015, 09:56:43 am »
Excellent and informative article.

I would also like to add that it is best to disable Guest Integration, Clipboard sharing, drag and drop, printer etc.

Recently a zero day was discovered in vmware which allows a malware to escape through the COM port (Details here: https://docs.google.com/document/d/1sIYgqrytPK-CFWfqDntraA_Fwi2Ov-YBgMtl5hdrYd4/preview?pli=1).

Also another benefit of disabling the above services, is that it becomes difficult for the malware to detect if it is running on a real system or a virtual one. The idea is to reduce the virtualization artifacts as far as possible.

Generally, VM's are assigned only a single processor. However, modern day computers are multi-core.
Also we generally assign just a single disk drive with just sufficient space to a virtual machine. Real machines have more than 1 disk drive, with a total capacity of more than 50 GB (at least).

These information can be used to detect virtualization.

Also the usual ways to detect VMWare/Virtualbox via red-pill/blue-pill etc also needs to be patched for the best results.

Anyways, thanks again for your article.
« Last Edit: September 26, 2015, 10:18:33 am by Trevor »

Offline Deque

  • P.I.N.N.
  • Global Moderator
  • Overlord
  • *
  • Posts: 1203
  • Cookies: 518
  • Programmer, Malware Analyst
    • View Profile
Re: Malware Lab Setup for Dynamic Analysis
« Reply #4 on: September 26, 2015, 09:29:12 pm »
I would also like to add that it is best to disable Guest Integration, Clipboard sharing, drag and drop, printer etc.

Recently a zero day was discovered in vmware which allows a malware to escape through the COM port (Details here: https://docs.google.com/document/d/1sIYgqrytPK-CFWfqDntraA_Fwi2Ov-YBgMtl5hdrYd4/preview?pli=1).

Also another benefit of disabling the above services, is that it becomes difficult for the malware to detect if it is running on a real system or a virtual one. The idea is to reduce the virtualization artifacts as far as possible.

I did say in the article that you shouldn't even install the guest additions. Disabling is not enough. Even installing and deinstalling them will mess up VirtualBox.

Quote
Generally, VM's are assigned only a single processor. However, modern day computers are multi-core.
Also we generally assign just a single disk drive with just sufficient space to a virtual machine. Real machines have more than 1 disk drive, with a total capacity of more than 50 GB (at least).

I addressed the processors and disk space too, although I did not explain the reasons for the settings in depth.

There is a pretty good article about making VirtualBox less detectable here http://www.kernelmode.info/forum/viewtopic.php?f=11&t=3478

Nothing makes the VM 100% undetectable, though. It is impossible from a technical perspective.

Quote
Anyways, thanks again for your article.

You are welcome. Thanks for your feedback.

Offline shaitan

  • NULL
  • Posts: 1
  • Cookies: 0
    • View Profile
Re: Malware Lab Setup for Dynamic Analysis
« Reply #5 on: December 27, 2015, 10:26:01 pm »
Thx for your work you put into your series. You articles are pretty good for being free resource on a public forum.

Quote
If you set an Internet connection, configure your VM to use NAT.
The host system will act as a router in NAT mode.
Why would you actually use NAT? In access controlled environments (MAC) or connections through wlan adapters its the "only" way (MAC spoofing not counted here). Personally I would prefer Bridged Networking, because I did not manage to ping my host system. In NAT-mode I can ping my LAN IPv4 address.

Execute in guest-system
Code: [Select]
ipconfig /all
ping 192.168.0.10

I would say this is a risk like VirtualBox additions especially during the dynamic analysis of self-propagating worms.
« Last Edit: December 27, 2015, 10:29:04 pm by shaitan »

Offline ducksauce88

  • NULL
  • Posts: 3
  • Cookies: 0
    • View Profile
Re: Malware Lab Setup for Dynamic Analysis
« Reply #6 on: January 13, 2016, 05:48:44 pm »
Great tutorial, this is definitely going to help me get up and running. I've infected my system before even when using a VM, so this time I'm going to make sure that doesn't happen.