Malware Analysis - Part II - Setting up Lab

Malware Analysis

• Malware Analysis - Part I - Basics

• Malware Analysis - Part II - Setting up Lab

• Malware Analysis - Part III(A) - Basic Static Analysis

Hi guys! Malware Analysis - Part I - Basics just gave you an overview of Malware Analysis. This blog will prepare you with all the requirements needed before we dig into Static and Dynamic Analysis. Let us first understand the advantages & risks associated with using VMware and setup & configure our lab for Malware Analysis. Doing so, we can make sure that the analysis is performed in a safe environment and does not affect the system or network. 

Malware Analysis can be performed in Air-Gapped Network. Air-Gapped Networks allows running the Malware in an isolated environment far from the public Internet or an unsecured Local Area Network thus without putting other computers at risk. Air-gapped network cannot be used if the Malware interacts with the Internet. If Malware Analysis is performed in the physical machine make sure you use a tool such as Norton Ghost or Clonezilla to manage backup images of their operating systems (OSs), which can be restored after completion of the analysis. 

Requirements

Below are a few software and hardware requirements that need to be set up before moving further.

Software Requirements:

• VMWare Workstation / VirtualBox (Linux)
• Windows XP iso
• Malware Analysis Tools

Hardware Requirements:

• RAM: 4GB

Setup lab for Malware Analysis

• Download VMWare Workstation or Virtual Box (Linux) and install it in your host machine. If you are not sure about the configuration settings, then it is recommended to use the default settings.
• Next, Download and Install the Operating System. For the in-depth understanding of malware analysis, there is no better option than using Windows XP.
• After Windows XP is installed, Install the required tools/application for Malware Analysis as we move further.
• Next, Install VMWare tools. Goto VMWare Menu→ VM → Install VMware Tools.

Configuring Virtual Machine

Now we need to configure the Virtual Machine so that the Malware does not affect the network and host system. VMware and Virtual Box offer several networking options for virtual networking. We will mostly focus on two things - 

Malware Analysis in Air-Gapped Network

It is not recommended to configure VM with no network connectivity since you won’t be able to analyze if the Malware is performing any malicious network activity.

• Disconnect the network adapter from the Virtual Box/Virtual Machine or remove the network adapter.
• Host-only networking is a feature in both VMWare and Virtual Box that creates a separate private network between the host OS and the Virtual Machine. A host-only network is not connected to the Internet. Thus the Malware is contained within your Virtual Machine but allowed some network connectivity, and the host is still connected to the Internet or other external networks. Also, ensure that the host machine is fully patched in case the Malware tries to spread. It is possible that the Malware uses a zero-day exploit against the host OS.
• Multiple Virtual Machines can be disconnected from the Internet and host machine but can be linked to LAN so that the Malware is connected to a network, but the network isn’t connected to anything.

Malware Analysis Connecting to the Internet

When performing dynamic analysis, it may sometimes be essential to connect the Virtual Machine running Malware to the Internet for more realistic analysis environment, despite all the risks. Before connecting it to the internet, perform some analysis to determine what the malware can do when connected to the internet.

• Never connect to the Internet without knowing what Malware can do. Connecting to the Internet and performing Malware Analysis could give knowledge to Malware writers about the connection.
• Using VMware/VBox with a bridged network adapter allows the VM to be connected to the same network interface as the host machine, thus, allowing malware to connect to the Internet. Using VMware’s/VBox's Network Address Translation (NAT) mode shares the host’s IP connection to the Internet. In this, the host acts as a router and translates all requests from the virtual machine.
• Any external device can also be connected in the VMware/VBox. Connecting a USB device when the VM is active will connect it to the guest machine and not the host machine.

Features of Virtual Machine

Snapshots

VirtualBox and VMware provide the save snapshot feature of guest VM state information. That simply means time travel is possible! Going back in time and reverting the virtual machine. Let us understand this with an example - At 10:00, you take a snapshot of the computer, and you run the malware. At 12:00, you revert back to the snapshot taken at 10:00. The Operating System, Softwares, and other components of the machine will return to the same state they were at 10:00, and everything that occurred between 10:00 and 12:00 is erased as though it never happened. 

Transferring Files from VM

One limitation of using snapshots is that any work undertaken on the virtual machine is lost when you revert to an earlier snapshot. Save the work before loading the earlier snapshot by transferring any files that you want to keep to the host OS using Vbox and VMware’s drag-and-drop feature. You can also transfer your data with VMware’s and VBox’s shared folders, which is accessible from both the host and the guest OS.

Risks - Using VMware for Malware Analysis 

When performing Analysis, some malware can identify it running in Virtual Machine and executes differently, thus, can be very difficult for the Malware Analyst to perform Analysis. Many techniques have been published to detect the malware in Virtual Machine. VMware does not consider this as a vulnerability and does not take specific steps to avoid detection. VMware has vulnerabilities found in the shared folders feature and the tools have also been released to exploit the drag-and-drop functionality which can be exploited and can cause the host Operating System to crash, or can even be used to run code on the host Operating System. Make sure to keep the VMware version fully patched. Though, the risk is always present analyzing Malware even after you take all possible precautions. Thus, avoid performing malware analysis on the critical machine.

Analyzing Malware using Virtual Machine

Following are the steps to run and analyze the Malware using Virtual machine:

• Take a clean snapshot of the OS with no malware running on it. 
• Transfer the Malware to the virtual machine.
• Perform the Malware Analysis on the Virtual Machine. 
• Transfer all your data and details that you need to the host machine.
• Revert the Virtual Machine to the snapshot taken.

New and updated Malware Analysis tools are released thus, install the tools and updates, and then take a clean snapshot. Throughout this, when we discuss running Malware, we assume that the Malware is running in a Virtual Machine.

References

https://www.ibm.com/developerworks/community/files/basic/anonymous/api/library/be969f28-ea0a-496c-8736-03038aeea0a7/document/a9c1a42b-6b79-4cc6-b0b3-45cdfb6dcb50/media

https://www.coursehero.com/file/p22us1n/Sometimes-youll-want-to-connect-your-malware-running-machine-to-the-Internet-to/