Beginning of the malware analysis adventure. Setting up safe virtual machine! Part 1
Hello everyone!
It was a long time without blogging. I had to learn for a very important test to get into university but now I have some free time, fortunately. About a month ago I decided to get more into malware analysis and found an excellent book to get started, named "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software" (Practical Malware Analysis book). It's so good for me because of the exercises after each chapter. I think that I can learn malware analysis step by step this way and in my opinion, it will be so much fun. I have to add that this book is from 2012 but I didn't find a better position to learn this kind of "hacking".
First of all creating lab for analyzing malware properly and safely is very important. Authors of this book wrote about this thing but I did it on my own. Obviously, I had to read about this kind of stuff. I used several sources to give myself a chance to get a better understanding of the topic. After joining them together I could begin working on my setup.
There is no doubt that malware is dangerous by definition. For instance, a sophisticated type of malicious program like "worm" can spread over a network and is able to take over a lot of devices.
As a result of this malware analysis has to be done in a safe environment to prevent these kinds of actions.
Of course, everything has to be created within a virtual machine. Personally, I chose VirtualBox because I know this interface better than the other ones. As far as I know, VMware is also a good choice for creating such a lab.
Unfortunately, I was forced to install Windows XP x86 as the main OS for analyzing malware because not all exercises work on Windows 7 or Windows 10 properly. For me, this is a little drawback of the book but it's a result of the release date. Why have I named this machine as "main"? Because to analyze malware properly isolated network must exist. The thing is that malware has to think that a network is available but we have to be safe and prevent malware from spread across our real network. So a fake net is a solution. To do this we will need Linux as the second machine. I will explain everything later in this article.
To create the main machine, I've installed Windows XP x86 SP2. Unfortunately, Microsoft doesn't share any Windows XP iso so you have to find it on your own. For the second virtual machine I decided to take Ubuntu 32-bit but Ubuntu Server may be better because of its size. Why the OS'es are 32-bit and not 64? Because most of the malware is 32-bit. I think this may be due to fact that 32-bit executable is working properly on 64-bit and 32-bit OS but 64-bit binary is not working on 32-bit systems.
Basic settings of machines:
Windows XP (main OS):
- RAM: 1024 MB
- Processors: 1
Ubuntu 32-bit:
- RAM: 1024 MB
- Processors: 1
The above settings are recommended with the installation and I simply didn't change it.
The next important thing in managing our lab is to take snapshots while working on malware. Of course, the first snapshot has to be taken after OS installation and the second snapshot has to be taken after the installation of tools needed for further analysis.
Snapshots are amazing because we can always back to a clean system without any malware running on it. So restoring the machine to clean state each time we end up our analysis is always a good idea. Moreover, I have to mention that snapshots can be useful also when we would like to save our work.
This is how my snapshots look like after some analyze on my main machine:
"Aktualny stan" means "actual state" :)
Now it's time to introduce the most important part of setting the malware analysis lab - isolated network. Network setting types on virtual machines differ between VM technology vendors. I'm going to use VirtualBox as mentioned above so I'll describe their types of possible networks within VMs. This table from the official site of VirtualBox gives the best insight I think:
Our goal is to basically keep malware away from the host machine. As you can see the only option which is enough to work with is the Internal network. Why? Because others, unfortunately, give malware a chance to spread into our host and even across the whole LAN network as it's possible with Bridged network case.
As I mentioned above a malware should "think" that the whole real network is available because we can then sniff exemplary malicious software and make analysis better. So the structure of my fake network is like this:
Malware will be talking with fake network services and will be talking only with the Linux machine in the isolated network. As a result of this, we will be able to, for example, examine malicious domains to which exemplary malware connects. This is how I set the network:
Settings for the main machine (Windows XP):
Settings for the fake server machine (Ubuntu):
Linux machine network interface:
Of course, the network card interface enp0s3 from line 4 of the above picture might be different than yours. You can check which network card interface you should set by ifconfig command.
Virtual machine network type settings (for both machines these settings are the same):
1. In the left pane click Network.
2. In the right pane: Connected to: Internal network.
3. Name: can be whatever you want but it has to be the same on main and Linux machine.
Proof that it works:
Windows XP machine to Ubuntu:
Ubuntu machine to Windows XP:
Windows XP to host (not allowed):
Ubuntu to host (not allowed):
This is the end of part number one of setting malware lab. For now on we can examine malware in safe environment. (unless malicious program will exploit a bug in VirtualBox and jump outside the sandbox :) ) In the second part I will show you the tools which I installed to analyze malware. After this, I'm going to release my solutions to exercises from the book.
Thank you for reading.
Cheers!
It was a long time without blogging. I had to learn for a very important test to get into university but now I have some free time, fortunately. About a month ago I decided to get more into malware analysis and found an excellent book to get started, named "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software" (Practical Malware Analysis book). It's so good for me because of the exercises after each chapter. I think that I can learn malware analysis step by step this way and in my opinion, it will be so much fun. I have to add that this book is from 2012 but I didn't find a better position to learn this kind of "hacking".
First of all creating lab for analyzing malware properly and safely is very important. Authors of this book wrote about this thing but I did it on my own. Obviously, I had to read about this kind of stuff. I used several sources to give myself a chance to get a better understanding of the topic. After joining them together I could begin working on my setup.
There is no doubt that malware is dangerous by definition. For instance, a sophisticated type of malicious program like "worm" can spread over a network and is able to take over a lot of devices.
As a result of this malware analysis has to be done in a safe environment to prevent these kinds of actions.
Of course, everything has to be created within a virtual machine. Personally, I chose VirtualBox because I know this interface better than the other ones. As far as I know, VMware is also a good choice for creating such a lab.
Unfortunately, I was forced to install Windows XP x86 as the main OS for analyzing malware because not all exercises work on Windows 7 or Windows 10 properly. For me, this is a little drawback of the book but it's a result of the release date. Why have I named this machine as "main"? Because to analyze malware properly isolated network must exist. The thing is that malware has to think that a network is available but we have to be safe and prevent malware from spread across our real network. So a fake net is a solution. To do this we will need Linux as the second machine. I will explain everything later in this article.
To create the main machine, I've installed Windows XP x86 SP2. Unfortunately, Microsoft doesn't share any Windows XP iso so you have to find it on your own. For the second virtual machine I decided to take Ubuntu 32-bit but Ubuntu Server may be better because of its size. Why the OS'es are 32-bit and not 64? Because most of the malware is 32-bit. I think this may be due to fact that 32-bit executable is working properly on 64-bit and 32-bit OS but 64-bit binary is not working on 32-bit systems.
Basic settings of machines:
Windows XP (main OS):
- RAM: 1024 MB
- Processors: 1
Ubuntu 32-bit:
- RAM: 1024 MB
- Processors: 1
The above settings are recommended with the installation and I simply didn't change it.
The next important thing in managing our lab is to take snapshots while working on malware. Of course, the first snapshot has to be taken after OS installation and the second snapshot has to be taken after the installation of tools needed for further analysis.
Snapshots are amazing because we can always back to a clean system without any malware running on it. So restoring the machine to clean state each time we end up our analysis is always a good idea. Moreover, I have to mention that snapshots can be useful also when we would like to save our work.
This is how my snapshots look like after some analyze on my main machine:
"Aktualny stan" means "actual state" :)
Now it's time to introduce the most important part of setting the malware analysis lab - isolated network. Network setting types on virtual machines differ between VM technology vendors. I'm going to use VirtualBox as mentioned above so I'll describe their types of possible networks within VMs. This table from the official site of VirtualBox gives the best insight I think:
Our goal is to basically keep malware away from the host machine. As you can see the only option which is enough to work with is the Internal network. Why? Because others, unfortunately, give malware a chance to spread into our host and even across the whole LAN network as it's possible with Bridged network case.
As I mentioned above a malware should "think" that the whole real network is available because we can then sniff exemplary malicious software and make analysis better. So the structure of my fake network is like this:
Malware will be talking with fake network services and will be talking only with the Linux machine in the isolated network. As a result of this, we will be able to, for example, examine malicious domains to which exemplary malware connects. This is how I set the network:
Settings for the main machine (Windows XP):
Settings for the fake server machine (Ubuntu):
Linux machine network interface:
Of course, the network card interface enp0s3 from line 4 of the above picture might be different than yours. You can check which network card interface you should set by ifconfig command.
Virtual machine network type settings (for both machines these settings are the same):
1. In the left pane click Network.
2. In the right pane: Connected to: Internal network.
3. Name: can be whatever you want but it has to be the same on main and Linux machine.
Proof that it works:
Windows XP machine to Ubuntu:
Ubuntu machine to Windows XP:
Windows XP to host (not allowed):
Ubuntu to host (not allowed):
This is the end of part number one of setting malware lab. For now on we can examine malware in safe environment. (unless malicious program will exploit a bug in VirtualBox and jump outside the sandbox :) ) In the second part I will show you the tools which I installed to analyze malware. After this, I'm going to release my solutions to exercises from the book.
Thank you for reading.
Cheers!
Comments
Post a Comment