In a prior article, I showed you how to test potential malware in Window’s Sandbox on the fly. In reality, this is not the way to debug and analyze malicious code. It is not ideal to re-install our research tools every single time we start an instance of the application. Since we cannot manipulate the virtual network card, a worm could be introduced into our network. There isn’t even the capability to do research on how the code manipulates the operating system on reboot. Here is where traditional virtualization come in. Continue on to learn how to setup a secure lab to perform your research.
The overall plan
For our lab, we will use Virtual Box for setting up our virtual network. Why? Because it’s free and works well! The lab will initially consist of two Windows 10 virtual machines. One will be for static analysis for all potentially bad code. This virtual machine is only for looking at code in a static fashion. We never execute potentially harmful code on here.
The second Windows machine will be for executing code and analyzing it while it runs in the Windows ecosystem. We want to make sure we always have a clean copy when running new research sessions. To achieve this we utilize the snapshot feature in Virtual Box. We can take a clean snapshot when we first configure our machine and then we can delete new images, returning to our original.
For both Windows machines we will be installing FlareVM. It is a Windows-based overlay distribution. It is essentially a PowerShell script that uses Chocolately and BoxStarter to install a enormous list of research applications. Ranging from text editors, to browsers, pen-test utilities, decompilers, debuggers, and disassembler tools. Even network spoofing to trick malware to think it is on an actual network.
The lab would not be complete with out some *nix machines. We will be using Kali Linux and REMnux. Kali is notorious for being one of the best pen-testing Linux distributions out here. We need the the information gathering applications once we have locked on to a command and control in research. REMnux specifically caters to reverse engineering bad code. We need this distribution to run our potentially harmful Linux programs and have all the tools we need to analyze.
Setting the Windows side up
I am going to assume you have some working knowledge of installing both Windows and Linux in a virtualized environment. Since you can do with in Virtual Box, VMWare, Xen or Hyper-V, I will keep this as generic as possible. We will focus on the most important parts. Normally you would create this network on a separate network than your normal one. But these steps will still keep you safe if you decide to run this virtual network on your daily computer.
Tips for configuring your Windows machines:
- Memory should be at least 3-4GB
- Make sure your harddrives are more than 50GB.
- Download everything you need before install FlareVM.
We want to make sure that our machines look normal as possible. A Windows machine lower than 4GB of memory or a extremely low hard drive size will actually tip off some malware. Unfortunately, these malware writers write in their code to look for obvious virtualization environments. Once your machines are installed and configured, we will install the FlareVM distribution. Once we install will kill the virtual network cards and pipe traffic to FakeNet-NG. So we’ll need to install anything else we need first.
Since FlareVM depends on Chocolately, open up a elevated Powershell to install. Enter the following command.
To learn Chocolately, read my article about it.
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
It is necessary to re-open the elevated PowerShell when your are done to use Chocolately.
Next we will use it to install Git to download and build theZoo malware repository for researching.
choco install git
Fetch theZoo repository.
git clone https://www.github.com/ytisf/theZoo cd theZoo pip install --user -r requirements.txt python2 theZoo.py
Now we want to install FlareVM. You will have to allow for script execution with the Set-ExecutionPolicy.
git clone https://github.com/fireeye/flare-vm.git cd flare-vm-master Set-ExecutionPolicy Unrestricted .\install.ps1
This script is going to take a long time. At least 2-4 hours long. Once the script is complete, shut down the machine. Clone the first machine and designate each for their purposes. One for forensics, one for pen-testing. Then take an original snapshot of each virtual machine so we can start fresh when and if we have to revert back to an original clean state. Then turn off network access by disabling the virtual network cards.
Getting our Linux boxes configured
If you got this far… I think it is safe to assume that you know how to install Linux machines in a virtual environment. Installation is straight forward for Kali Linux. The Kali machine will not be touching malicious code so you can configure this however you’d like. You can download the ISO by direct download or torrent here.
Keep in mind that installing all Kali tools is ~15GB in size so keep that in mind when creating your virtual disk.
sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade sudo apt-get install kali-linux-everything
REMnux comes as a virtual appliance file. You will have to import the machine into the virtualization software.
Download the OVA file, here.
During importation, configure the same way as you would with the Windows machines. We will use this machine for execute potential malware for the Linux ecosystem. So we need to trick malware into thinking it isn’t in a virtualized environment as much as we can. Make sure you change the root password on first boot and update.
passwd # default password is : malware sudo update-remnux
Make sure you create an original snapshot after you have updated each machine as well. In you virtualization environment, turn off network access to REMNux.
IMPORTANT: DO NOT INSTALL GUEST TOOLS FROM YOUR VIRTUAL HOST.
Unleashing all the malware
You now have the perfect environment for testing malware. If you want to start analyzing and playing with malware, go ahead with theZoo. For more on how to use this malware repository, read this prior article on deploying the malicious code in your safe new lab. Otherwise, stick around for upcoming articles on the process of analyzing code from the repository. Stay safe!