Setting up a malware analysis environment

[Kayaker]

A frequent request here is for both introductory and detailed information on setting up and using a safe malware analysis environment. I've created a sticky thread where I hope we can gather as many good articles as possible that touch on that subject.

Please add any noteworthy articles you find or are aware of that can help guide those of us who are interested in secure reversing of insecure targets.

The best of the articles will find its way into a larger knowledge resource that is currently being set up, so anything you can add will be a contribution to something far grander and permanent than this thread.


To start with, here are a few that have been mentioned before in the forums:


Capture, care and analysis of Malware made easy
http://www.linklogger.com/vm_capture.htm

Practical Malware Analysis
http://www.blackhat.com/presentations/bh-dc-07/Kendall_McMillan/Presentation/bh-dc-07-Kendall_McMillan.pdf


Setting up Windbg/VMWare:

Remote Debugging using VMWare
http://www.catch22.net/tuts/vmware

Driver Debugging with WinDbg and VMWare
http://silverstr.ufies.org/lotr0/windbg-vmware.html


Cheers,
Kayaker

[cEnginEEr]

I think any mal analyzer should know pros & cons of various tools for setting up an analysis environment in the first place;

http://www.sans.org/reading_room/whitepapers/threats/malware_analysis_environment_design_and_artitecture_1841

[Silkut]

Interesting article: an automated malware analysis environment (already linked up somewhere on the forum I'm sure).
http://cert.at/downloads/papers/mass_malware_analysis_en.html

[mansourweb]

How Detect virtual machines :

www.symantec.com/avcenter/reference/Virtual_Machine_Threats.pdf

[VirusBuster]

For malware analysis a good combination could be Sandboxie + Buster Sandbox Analyzer

Sandboxie: http://www.sandboxie.com

Buster Sandbox Analyzer: http://bsa.sandboxie.info

As soon as I finish coding next BSA feature probably I will write a paper about setting up a malware analysis environment.

[mansourweb]

Sandboxie is not a good one , because the new malwares can detect sandboxie.

[VirusBuster]

Sandboxie is not a good one , because the new malwares can detect sandboxie.

I told Sandboxie + Buster Sandbox Analyzer.

http://bsa.sandboxie.info/frameb.htm

[Silkut]

Another one from CERT.at

Hi folks,

it's just a few days ago that I put my new version of Minibis on our (CERT.at) website.
For everyone that haven't heared about it yet: Minibis is a fully customizable automated malware analysis environment.
So, for anyone that's interested in this topic feel free to visit our website http://cert.at/downloads/software/minibis_en.html at "Computer Emergency Response Team of Austria". There's plenty o informations there regarding Minibis, it's concept as well as of course a download-link.

Cya,
Chrisu.

source: https://www.openrce.org/forums/posts/1279

[VirusBuster]

Another one from CERT.at

source: https://www.openrce.org/forums/posts/1279

As usual it uses a Linux distribution (Ubuntu) to do the work.

I always wonder the same and it´s one of the reasons of why I coded Buster Sandbox Analyzer: Why to analyze Windows malware Linux is used?

Why are required complicated installations?

Apart it uses VirtualBox, so lots of malwares will detect the virtual machine and will not work properly.

What´s the point of doing this project under Linux if you use VirtualBox, something already available under Windows?

[Darkelf]

Hmm, maybe in order to prevent malware that is capable of breaking out of the virtual machine from infecting the host?
Just an idea.

[VirusBuster]

Hmm, maybe in order to prevent malware that is capable of breaking out of the virtual machine from infecting the host?
Just an idea.

Could be the reason but I don´t think so.

Anyway there are solutions to prevent anything breaks out of the virtual machine.

e.g.: if I´m not wrong Sandboxie is able to sandbox VirtualBox.

[chrisu]

Hmm, maybe in order to prevent malware that is capable of breaking out of the virtual machine from infecting the host?
Just an idea.

That's exactly *the* reason!

As usual it uses a Linux distribution (Ubuntu) to do the work.

I always wonder the same and it´s one of the reasons of why I coded Buster Sandbox Analyzer: Why to analyze Windows malware Linux is used?

Why are required complicated installations?

Apart it uses VirtualBox, so lots of malwares will detect the virtual machine and will not work properly.

What´s the point of doing this project under Linux if you use VirtualBox, something already available under Windows?

Hm, a few things that need to be mentioned:

*) As already mentioned above, usually another OS is used for the base (and therefore not necessarily Linux), just in the case of an escape. In the case of Minibis (which is CERT.at's implementation of a concept posted earlier) there has to be a place that is declared to be save. That's because of all the monitoring-data there which has to stay "trusted" at least with adequate efforts.

*) Regarding VirtualBox I have to say that it is one of the least detected VM-solutions, though, to be more precisely, as it's built upon QEMU it's more of an emulator than a typical virtualization.
Anyway, Minibis is primarely used for mass malware analysis, so a few samples that won't execute do not mess up the results of let's say 25k samples.
Furthermore, nowadays malware is changing its characteristics regarding VM-detection. Actually the trend of VM-detection is massively falling down. That's because of the fact that virtualization became daily business for productive machines. As malware's major goal is to run to make money that is just a logical implication.

*) For anyone whose paranoia-mode is in god-mode: There's also a possibility to use native machines instead of virtual machines, that's usually done with data-recovery cards, forensic writeblockers and automated re-imaging.

Hope that brought some light into the discussion.

Cheers,
Chrisu.

[VirusBuster]

If I´m not wrong Sandboxie is able to sandbox VirtualBox so in the rare case of an escape from the virtual machine the malware would land inside sandbox folder.

Other solutions like Deep Freeze, Returnil, Shadow Defender, ... would make the work too.

[chrisu]

If I´m not wrong Sandboxie is able to sandbox VirtualBox so in the rare case of an escape from the virtual machine the malware would land inside sandbox folder.

Other solutions like Deep Freeze, Returnil, Shadow Defender, ... would make the work too.

It really depends on what your goal is. Just as a prevention-layer for emailing and surfing I agree with you. But if comes to professional behavioral analysis of malware those sandboxes are just the wrong tool. That is because of the differences between sandboxes, VMs and emulators regarding their characteristics.
When you do behavioral malware analysis you *want* the underlying OS to get infected, furthermore (besides VM-detection, I already mentioned that above) you want to have "normal" looking, full OS, so in other words, any thing on the system that is additional might change your monitoring results.
Another thing is the fundamental diffrence in the approach of sandboxes and VMs: You can compare it with "white"- and "black"-listing. Sandboxes do blacklisting - they try to slap an executable on any thinkable way it could act evil. VMs won't let the guest do anything until you give it the ability.
There are just too many drawbacks sandboxes have in comparison to VMs when it comes to professional behavorial malware research, but as I said, there are definitely use-cases for sandboxes, though.
As for me, I would prefer to bring my own trusted oxygen with me when I enter a room with unknown bacterias and viruses than breathing the air in that room through a filter ... but that's just my opinion.

Cheers, Chrisu.

[VirusBuster]

I agree with you, Chrisu, I only disagree in one thing: if you are going to use VirtualBox for malware analysis, why to use it under Linux if VirtualBox for Windows exists?

The reason you give is "to prevent malware that is capable of breaking out of the virtual machine from infecting the host".

There are several methods to prevent such situation, so using Linux is like killing flies with cannons.

there has to be a place that is declared to be save. That's because of all the monitoring-data there which has to stay "trusted" at least with adequate efforts.

You can declare a place to be save under Windows with a minimum effort.