As you could read in my blogpost Analyzing Malware at home – Introduction I am building a lab environment to analyze malware. On this page I want to share my approach:
Depending on your preferences any other Hypervisor should do as well however I like VMware ESXi because you can set it up on a usb key with virtually no hassle in 10 minutes. Also the networking options of ESXi are quite nice (more about networking later).
Hardware wise any old PC with at least 2 cpu cores and 4 gig ram should do fine. I would stay away from low power platforms like Intel atom. They will work but performance can be a pain. I would recommend an Intel Platform (probably better ESXi driver support than AMD/3rd party chipsets) with a Pentium Dualcore/Core2Duo as lower end specs.
But as said it does not need to be fancy or expensive. See what you have lying around or can get your hands on cheap.
In my case I bought myself a macbook last year and still keep my old PC under my desk for the occasional graphics hungry windows only first person shooter:
server hardware specs:
- Core2Quad Q9550 (4×2,83GHz)
- 8 GB Ram (not too much but enough for 5-10 windows VMs)
- Old 250gig SATA HDD for VMFS (you don’t need too much disk/io performance!)
- 2GB USB Key as boot drive / install target for ESXi
- VMWare ESXi 5.1 (free bare metal hypervisor)
What I also did is adding an additional hdd I had lying arround for VM storage and installed the ESXi 5.1 Hypervisor on an old USB Key. For now I set the BIOS boot sequence to boot from the USB drive first. However with the hit of a button I can pull up the boot menu at and chose to boot my windows system, yay still able to play some games \o/.
The setup of VMWare ESXi Hypervisor is quite easy and straight forward:
- Create a free account with vmware.com and grab the installer iso
- Burn the iso and boot you machine of it
- Chose a local disk or an attached usbkey as installation target
- Thats it!
If your workstation is a Windows machine you will be able to start right away setting up the ESXi Server. If you are using a Mac or Linux you will need to start a Windows VM at least temporary to get going. Sadly VMware only provides a vSphere client for ESX(i) administration for windows.
If you search the web you will find some talk about the fairly new VMware vSphere web interface but to my knowledge this also is a software you need to install on a windows machine first.
The first thing after applying the free license key and some basic configuration was to set up a “management Windows7 VM”. The reason for this is as mentioned above that the vSphere console runs under windows and also some other software I am using (like the Checkpoint Dashboard, more about that later) is Windows only.
I configured the ESXi host so that when it is started it will automatically boot the management VM and then I use RDP to connect into it to control the lab environment. A nice side effect of this is that you don’t have to install any unnecessary software on your workstation (keep it lean and mean)…
For now I decided to build 3 VMware templates:
- Windows XP 32bit
- Windows 7 32bit
- Windows 7 64bit
For most malware you can catch in the wild easily Windows XP will probably be the best point to start off. If I don’t see the expected behavior from a malicious executable I will try to run it in Win7 32 and 64bit to compare the results.
ESXi does not have a comfortable Cloning mechanism like vSphere or VMware Workstation are providing. However if you search the web you will find enought tutorials how to clone machines via the datastore browser.
Important: Do not install VMware tools in your templates and do not patch them. Make a raw installation and decide from case to case what you want to do with a machine after cloning it.
Patching might prevent a malware to exploit local vulnerabilities from the past and installing VMware tools could give away that the malware is being analyzed and render it dormant (more about this at the end of this post)!
You have two options to exchange files with the Victim VM. You can create an ISO file with anything you want to put on the virtual machine and mount it via the vSphere console.
To get data on and also off the virtual machine I set up an ftp server (I recommend the free and easy 3com FTP Daemon as it needs virtually no configuration) on the management VM and made sure that the DMZ can only access the FTP port.
I don’t think that is too much of a risk because worst case would be that a malware could upload some files to the FTP which you then can conveniently collect for further analysis.
I chose to create two virtual switches. A “secure/LAN” zone which faces my network and has a “physical uplink” and a “insecure/DMZ” zone where I will put the Victim VMs that will be executing the malware binaries.
As you can see in the image above I used a virtual Checkpoint Firewall as a Firewall/Router between the two vSwitches. This gives me the comfort and visibility of a enterprise grade firewall/logging suite when0 analyzing the live network traffic of malware being run in the DMZ.
The Checkpoint Virtual Edition OVF can be downloaded with a 2 week trial key for free if you have an Account on the Checkpoint website.
If you don’t want to use a commercial product for this you can just set up a linux vm with IPtables. Just make sure that you activate logging and think about some form of visualization (Splunk or anything similar).
Hint: also search the web for honey wall!
Having a Firewall to isolate the network in which you execute the malware gives you the power to capture all traffic the Victim VM initiates (hello tcpdump) and selectively allow a malware certain connections to the internet.
The later can and should be blocked to fairly low bandwidth (like cellphone provider do when we reach the data plan limit ;)) but still gives you the opportunity to see how a malware behaves when it is able to execute certain functions, for example:
- loading more tools/components
- spread to other hosts
- call back to command and control servers
- contact other bots (if botnet malware)
- and much more I guess….
Other things I am planning to do network wise is to implement a security onion VM and fire up some Network Security Monitoring like bro and snort for educational purposes.
VMware vs physical
When you read about malware analysis you will quickly find recommendations to analyze malware on physical machines because certain malware tries to figure out if it is beeing run in a Virtual Machine and if debuggers are present.
In that case malware could stay dormant and not reveal its true nature or just mess around with you to keep you busy.
I found two good reads about this topic:
How does malware know the difference between the virtual world and the real world?
Detecting Hidden Malware Method Based on “In-VM” Model
Personally I am at the beginning of this huge topic (malware analysis) and I think there will be enough basic malware without advanced functionalities like this to begin with.
Later on it probably will even be fun to compare the behavior of malware in virtual machines and on physical setups.
But right now I want to focus on learning the analysis techniques rather than spending much time on constantly re-imaging computers to get a clean basis for analysis.
Virtualization is just way easier and less time consuming than physical!
Feel free to leave comments or questions below!