To start contributing I thought I would cover some of the tools that I use, and how I use them.
The most valuable tool for any malware analyst is the software that hosts their virtual machines in both their test and analysis environments. While windows licenses cost money, the virtual machine software can be free. Oracle’s VirtualBox, the QEMU Project, and VMware’s Player are free applications that can host virtual machines. While I prefer VirtualBox due to the GUI combined with snapshot capabilities, the others provide some additional benefits. Most of the malware that I have analyzed that was VM aware looked for VMware signatures. A couple of the samples did things with the floating point processor to detect abnormal results and detected VirtualBox, but I have not observed any that directly look for QEMU signatures. Additionally, if you have a server in your arsenal, you can install the free VMware ESXi hypervisor to build intricate networks and manage the multiple virtual machines through one interface. One of the negatives of the ESXi application is getting memory snapshots from the hypervisor to the machine you use to do memory analysis.
For paid applications, nothing beats VMware Workstation 8. It has the snapshot capabilities, virtual network editor, and can run VMs off remote hosts or act as a client for an ESXi server.
All of the applications can run in a Linux environment, which adds a layer of protection when conducting malware analysis. Typically the malware to be analyzed will be targeted at Windows. If the host has a Windows operating system moving malware around can pose a danger to the host or cause the host’s AV solution to clean a sample before you can get it the guest. These problems can be mitigated by using password protected archive files to move malware around or utilizing scp to move files from non-Windows source to the destination. But, with many of the desktop emulators, and the ESXi host, it is possible to move files through the clipboard or drag and drop with the host. This can be particularly useful when exporting reports generated by tools in the test or analysis environment.
My preferred method is to use Workstation 8 on a Linux host. You can build a series of VMs that can be brought into service very quickly. Tests can be run and then the guest reverted to a pristine state. At least one of the guests needs to be a vanilla install of each operating system without VMware tools being installed. VM aware malware can still detect that it is running in a VM, but the installation of VMware tools makes that check trivial since there are registry entries associated with them. Keeping some vanilla installs without VMware tools lets you quickly move a sample into an environment where samples may otherwise miss they are running in a VM.
Last, no matter how many VMs a malware analyst has at their disposal, if they need to be fully covered for dynamic testing, they have to have some hardware they can quickly build up and then revert. The easiest way to do this is with a FOG server and an old desktop or laptop. Using the FOG server you can build a variety of hardware configurations, save the image, then select which you want pushed to the hardware at boot using the PXE boot options. This is a lot slower than VM software utilizing snapshots, but it is a lot quicker than having to reconfigure a machine for a test each time. I will plan on covering how to set up and deploy a Fog server in a later blog post.