Malware can be slippery, difficult to dissect, and prone to escapism. As malware analysts, however, we frequently find ourselves in a position where it's necessary to be able to both examine the binaries and samples we come across, as well as actively run the samples and observe their behavior in a semi-live environment. Observing how the malware behaves within a real-world OS informs us as analysts how to better defend and remediate infections of the same kind we come across.
Such needs present several challenges:
- How do we execute and study malicious code while ensuring our real environments remain safe and we do not assist the malware authors in propagating their code?
- What tools do we require to ensure that we're able to adequately study the malware?
- How do we achieve the two aforementioned goals in a repeatable fashion so that we do not have to rebuild our environment after every piece of malware we study?
In this chapter, we'll review how it's possible to set up a VM specifically for the purposes of analyzing adversarial code, while simultaneously ensuring that we remain on good terms with our friends in Systems Administration, and do not spread our samples across the network, thereby defeating the purposes of our analysis.
In this chapter, we'll cover the following topics:
- Setting up VMware Workstation with Windows 10
- Tooling installation – FLARE
- Isolating your environment
- Maintenance and snapshotting
The following are the requirements for this chapter:
- A PC/Mac with at least 8 GB of memory and a quad-core processor
- An internet connection
- FLARE VM GitHub package: https://github.com/fireeye/flare-vm
- The latest VirtualBox installer: https://virtualbox.org/wiki/downloads
- A Windows 10 ISO and product key
Setting up VirtualBox with Windows 10
To begin, we'll navigate to the VirtualBox download page, which can be found at https://virtualbox.org/wiki/downloads. The page should look like the one shown in the following screenshot:
Let's now move on to downloading and installing VirtualBox.
Downloading and verifying VirtualBox
Here, we can select our host OS, with Linux, macOS, and Windows all supported platforms. In this instance, the process will be completed in macOS, but post-installation, the steps are largely the same, and generally platform-agnostic. Begin by selecting your host OS and downloading the latest package for VirtualBox.
As with downloading any binary or package from the internet, it is an excellent idea to ensure that the download is neither corrupt nor has been tampered with during transit.
Thankfully, Oracle provides pre-computed SHA256 sums of their packages, and we can use
sha256sum on either Linux or Mac to ascertain whether we have the correct package:
Once we have computed the SHA256 in our terminal, we can compare it to known hashes on the VirtualBox page found at https://www.virtualbox.org/download/hashes/6.1.12/SHA256SUMS. Here, we can see that we have a matching hash and can proceed with the installation:
Installing Windows 10
Once you have gone through the installation steps for VirtualBox on your platform and have run the application, you'll be presented with the following screen. We can now begin building our environment:
In order to create our malware analysis environment, it will be necessary to have a Windows 10 installation ISO. If you do not already have a Windows 10 ISO, one may be obtained from Microsoft at https://www.microsoft.com/en-us/software-download/windows10. You will be required to purchase a license key in order to activate your copy of Windows:
- To begin creating our VM, we'll click the New button in VirtualBox, as seen in the following screenshot:
- Clicking the New button will reveal a new pane requiring several selections. Here, we'll want to select Windows 10 (64-bit). The machine may be named anything of your choosing. Once these fields are filled in, click Continue:
At this point, VirtualBox will guide you through several steps. Proceed with the defaults here – no additional customization is necessary for our use case, with one exception: if you have sufficient memory on your host machine, strongly consider changing the memory to 4,096 MB for a smoother experience (and to bypass some possible anti-analysis techniques! More on this later).
- Once done with the creation of the VM, we are dropped back at our initial screen with a VM available to us. However, it is necessary to specify the ISO file that the VM's OS should be installed from. For this, highlight the VM we've just created, and click Settings, as shown in the following screenshot:
- A new pane will be presented that outlines the many settings currently applied to the VM. Here, we'll select Storage, and then the compact disc icon in the tree. From here, we can click the browse icon and then select the applicable ISO for installation. Then, click OK:
- Once the applicable ISO has been loaded, it's time to boot the VM and begin installation of Windows. To do this, simply highlight the VM you have created and then select Start:
If everything has been done correctly to this point, the VM will boot and a Windows 10 installation screen will appear! Here, we can click Next and then proceed as usual through our Windows 10 installation steps:
- We'll continue by creating a new partition and begin our installation as shown in the following screenshot:
- Once the installation of Windows has completed, a screen will appear asking for a username to be utilized, along with a corresponding password:
It is highly advisable to make the password entirely unique to the instance in which we are working. Malware often steals passwords for reuse in further campaigns or operations.
- Once the user has been created, Windows will prompt for a few more settings related to privacy – which you may answer how you choose:
You may consider replicating the settings pictured here. While disabling Windows 10 telemetry isn't required, you may not want to deliver data to Microsoft over the internet if you're utilizing it to analyze sensitive samples.
Installing the FLARE VM package
Before the critical step of isolating our VM from the outside world can be undertaken, tools that require the internet to be downloaded must first be loaded on the VM. Our brand-new VM would be largely useless to us without the requisite tools utilized by malware analysts to glean information, of which there are a multitude.
Thankfully, the folks at FireEye have created a wonderful installation package called FLARE VM, a PowerShell script that can automatically download and install nearly every tool a malware analyst would need. The script is publicly available on GitHub at the following address: https://github.com/fireeye/flare-vm. This script will save a great deal of tedium and allow us to instantly install the necessary tooling:
Once you have downloaded the ZIP file containing the repository for FLARE VM, right-click the ZIP archive and extract it. Once extracted, you'll be presented with a directory containing several files, including a
.ps1 script. From here, we can begin the tooling installation process.
To begin the tooling installation process, it is first necessary that we obtain an administrative console in PowerShell. To do so, we can utilize WinKey + X, which presents the option to open a Windows PowerShell prompt as an administrator:
cd C:\Users\$Your_Username\Downloads\flare-vm-master\flare-vm-master; powershell.exe -ExecutionPolicy Bypass -File .\Install.ps1
With these commands issued, FLARE's Chocolatey-based installer will take over and prompt for credentials stored as secure strings. Once these credentials are entered, the installation will proceed, rebooting the VM several times, and logging in automatically following each reboot. No further action is required on our part during the installation:
FLARE installs a lot of tools. It may take quite a while to install, depending on the speed of your internet connection. It would be wise to utilize this time to make a sandwich, relax, or catch up on your favorite TV show.
Once the entire process has been completed, you'll be presented with the following desktop:
Additionally, you have the official FLARE VM wallpaper. Our malware analysis workstation is now set up and very nearly ready to go!
Isolating your environment
With our tooling installed, we no longer require internet access for most malware analysis. Analysis with a VM connected to the internet can pose several risks and should be avoided unless absolutely necessary. Risks associated with exposing your VM to the internet include the following:
- Allowing attackers to directly interact with the target machine via command and control
- Assisting in the wider propagation of worming malware to your network or others
- Accidentally participating in illegal activities such as DDoS as a zombie, being utilized as a proxy for further hacking of targets, and more
For these reasons, it's important that we set our VM to be isolated by default and only expose it to the internet if absolutely necessary in order to further understand our malware. And even in instances such as these, take proper precautions.
With the Settings pane open, navigate to the Network pane. Here, we can select Host-only Adapter. This will limit the VM's network communication to just the host and prevent the spread of malware via the network to more sensitive endpoints.
A word on executing with network activity
Occasionally, when examining malware samples, it is impossible to proceed without having an internet-connected VM. Droppers responsible for writing malware to disk often reach out to staging servers on the internet to download secondary stages, as opposed to writing them directly to disk from memory.
This can pose a challenge to an isolated VM and prevent an analyst from fully studying the execution of malware within an environment. Fortunately, it's possible to determine whether this access is required with a number of tools prior to enabling network access for your VM. These tools will be covered further in Chapter 3, Dynamic Analysis – Techniques and Tooling.
While VirtualBox does not necessarily have built-in mechanisms for safely executing in this manner, it's highly recommended that a separate network be set up, either physically or via a VLAN, for any dynamic malware analysis that requires network connectivity in order to function properly.
Maintenance and snapshotting
Now that the basis for the malware analysis VM has been set up, the tools installed, and everything is ready to go, it is important to ensure that the work does not have to be repeated each time we would like to dynamically analyze a new piece of malware.
If we simply detonated each piece of malware on top of the previous samples, it would confuse our indicators of compromise (IOCs), and we would likely be unable to tell what the result of a previous piece of malware was, what the result of the piece we were analyzing was, and what was just normal system activity.
VirtualBox has a built-in feature that has us covered – Snapshots. A snapshot is exactly as it sounds – a moment-in-time representation of how the VM's filesystem, registry, and other features existed precisely when that snapshot was taken. It allows an analyst to revert a VM to a time before it was purposely infected with malware.
To take a golden-image snapshot of our newly created malware analysis VM, we'll navigate to VirtualBox's main menu, click the hamburger button just to the right of our VM name, and then click Snapshots:
It's best to have highly descriptive snapshot names so that you aren't left guessing and restoring snapshots blindly in an attempt to find the correct one.
When OK is clicked, the VM will pause for a few moments to take an image of the moment-in-time configuration and save it for later restoration. Once complete, we'll be able to see our snapshot in the list of available restore points in VirtualBox, as shown in the following screenshot:
Congratulations! You've created your malware analysis VM and ensured that we can continue to use it even after we detonate malware in it several times, returning it to its previous state with the click of a button.
Welcome to your home for the next 10 chapters.
Snapshots aren't only great for keeping your VM clean! Initial vectors of malware (such as droppers) no longer work after a given period of time. If you have an infected instance of your VM that you think you'd like to study in the future and are unsure whether you'd be able to re-infect it, take a snapshot!
In this chapter, we've performed a basic setup of our malware analysis environment and built the foundation of what we will utilize to inspect adversarial software over the course of the book.
During this chapter, we have completed the construction of our analysis environment, including the downloading and installation of VirtualBox, the isolation of our host, and the installation of critical tools for our analysis via the FLARE VM package. With this built, we can now move on to the next chapter, where we will be inspecting and understanding live malware samples!