Malware Analysis Lab

Malware Analysis Lab setup

Contents:

• Setting up the environment.
• Isolating the lab from production environment.
• Checking VM sandbox against VM detection.

Setting up the environment

Let’s setup Virtual machine to emulate a real device for setting up the malware analysis lab.

Installing windows 7 in VMWare Workstation

Create a new virtual machine as shown below and choose how you want to install windows 7, either from installation media or ISO Image.

And customize your virtual machine hardware prior to beginning the Windows 7 virtual machine Operating System (OS). For instance,  you can add disks size or remove unnecessary hardware such as floppy drives and sound cards.

Isolating the lab from production environment

Network Setting

Put an extra effort to configure the malware analysis lab in a way that minimizes the risk of the malicious program escaping from your lab to the host/production.  And a malware escape happens not only because of the potential vulnerability that could allow an escape from the virtualized system which can be fixed most of the time by using latest VMs, but also due to  possible miss configuration and user errors. To this end , use the host-only networking mode for interconnecting the guest OS.

This configuration works well however, it has the weakness of allowing the physical host and Guest systems to interact with each other through a virtual network adapter that VMware installs onto the physical host. Therefore, for safety reasons we need to define a dedicated virtual network.

• Make sure a host only networking mode is selected.
• Go to the virtual machine edit menu and select Virtual Network Editor.

• Repeatedly click the change settings button until it allow us to modify the host-only setting.
• When the Virtual Network editor re-open, It will have all the three modes namely Bridged, Host-only, and NAT.
• In the  VMnet Information section select the host only option.
• Uncheck the “connect a Host virtual adapter to this network”.
• Check “Use local DHCP Service to distribute IP address to VMs”.
• And Finally click ok.

After this setting change the guest OS ,not to talk to the host OS over the network.

Disable Shared Folder Option:

1. Make sure to shutdown your VM.
2. Select the virtual machine and select VM > Settings.
3. On the Options tab, select Shared Folders.
4. Select Disabled to disable folder sharing.
5. And Click OK to save your changes.

Checking VM sandbox against VM detection

Malwares nowadays check if it is being analyzed or not. And the checks are made in a number of generic and specific tests to reveal the presence of VM. This is because some malware refuses to execute/operate correctly when being executed inside a VM. For this purpose , we use a tool called “Paranoid Fish” (pafish) , a tool for detecting malware analysis environments, imitating what malware will do to detect if it is being analyzed.

Let’s run the pafish test as an administrator and a result should display as it shown below.  And the detection of VM presence are indicated a red font word “Traced”. Thus, we have to reconfigure the VMware to hide the presence of VM know by the malware.

In order to reduce the detectability of our VMware by malware , we should add/modify the following configuration to Windows 7 x64.vmx to the end of the configuration file.

cpuid.disable_apicExtRegs = "TRUE"  
monitor_control.enable_fullcpuid="TRUE"  
cpuid.1.eax = "0---:----:----:----:----:----:----:----"  
cpuid.1.ecx = "0---:----:----:----:----:----:----:----"  
cpuid.1.edx = "0---:----:----:----:----:----:----:----"  
monitor_control.restrict_backdoor = "true"   
monitor_control.disable_directexec = "true"  
monitor_control.disable_chksimd = "true"  
monitor_control.disable_ntreloc = "true"  
monitor_control.disable_selfmod = "true"  
monitor_control.disable_reloc = "true"  
monitor_control.disable_btinout = "true"  
monitor_control.disable_btmemspace = "true"  
monitor_control.disable_btpriv = "true"  
monitor_control.disable_btseg = "true"  
monitor_control.enable_extended_core = "true"  
monitor_control.enable_paravirt = "true"  
monitor_control.virtual_rdtsc = "false"  
isolation.tools.getPtrLocation.disable = "true"  
isolation.tools.getVersion.disable = "true"  
SMBIOS.reflecthost = "TRUE"  
SMBIOS.assettag = "IBM Corporation"  
SMBIOS.useShortSerialNumber = "TRUE"  

Now, we have a secured and controlled Malware analysis lab and we can proceed with analyzing a Malware.

And remember to use the latest VMware software, updated and patched. Besides , make sure that your VMware version is free of Virtual Machine Escape vulnerability. Virtual Machine Escape is the process of a malware breaking out of a virtual machine and interacting with the host operating system, which can lead to infections and malware execution in the host machine. And If your analysis requires an internet network connection remember to use an isolated network connection from the production network.