Even if malware analysis is not your primary occupation, once in a while you may find yourself wondering about the nature of an unfamiliar malicious executable that crosses your desk. Starting your investigation with behavioral analysis—an observation of how the specimen interacts with the file system, the registry and the network—can rapidly produce useful results. Virtualization software such as VMware is incredibly helpful in this process.
VMware allows for the simulation of multiple computers running simultaneously on a single physical system. There are several advantages to this approach for behavioral malware analysis, compared to a lab built using distinct physical infrastructure components:
Preparing a VMware-based analysis laboratory is simple. You need a system with plenty of RAM and disk space that will act as the physical host. You also need the necessary software: VMware Workstation or Server, and the installation media for the OS you'll deploy in the lab.
VMware emulates the computer's hardware, so you must install the OS into each virtual host created using VMware's new Virtual Machine Wizard. Once the OS is set up, install the VMware Tools package, which optimizes the system for operating within VMware. Then install the appropriate malware analysis software.
I recommend having virtual machines with different operating systems in the lab, each representing the OS that malware is likely to target. This enables observation of malicious programs in their native environments. If using VMware Workstation, take snapshots of the virtual system at different points during the security update installation process to analyze malware at the desired patch level.
When dealing with malware, take precautions not to infect production systems. Such breaches can happen when handling malware improperly or when a specimen exploits a weakness in the VMware setup and escapes its sandbox. There have been several publicly announced vulnerabilities in VMware that, in theory, could allow malicious code from the virtual system to find its way onto the physical host.
Here are some suggestions for mitigating these risks:
One of the challenges of using VMware for malware analysis is that malicious code can detect whether it is running within a virtual system, which indicates to the specimen that it is being analyzed. If you cannot modify the specimen's code to eliminate this functionality, you can reconfigure VMware to make it stealthier. Tom Liston and Ed Skoudis last year documented several VMware .vmx file settings you can insert to accomplish this. The biggest problem with these settings is that they may slow down the virtual system's performance. Also note that they're not supported by VMware.
Virtualization software provides a convenient and time-saving mechanism for building a malware analysis environment. Just be sure to establish the necessary controls to prevent malicious software from escaping your testing environment. With a fine-tuned lab, you will be well on your way toward making the most of your malware analysis skills.
For a follow up to this article, please see VMware Network Isolation for a Malware Analysis Lab.
Authored by Lenny Zeltser. Lenny is a business and tech leader with extensive experience in information technology and security. His areas of expertise include incident response, cloud services and product management. Lenny focuses on safeguarding customers' IT operations at NCR Corporation. He also teaches digital forensics and anti-malware courses at SANS Institute. Lenny frequently speaks at conferences, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania. You can follow Lenny on Twitter, read his blog and circle him on Google+.
Copyright © 1995-2014 Lenny Zeltser. All rights reserved. RSS Feed.
The information on this site does not necessarily represent positions or opinions of my employer.