Tool Talk #1

To start contributing I thought I would cover some of the tools that I use, and how I use them.

The most valuable tool for any malware analyst is the software that hosts their virtual machines in both their test and analysis environments.  While windows licenses cost money, the virtual machine software can be free.  Oracle’s VirtualBox, the QEMU Project, and VMware’s Player are free applications that can host virtual machines.  While I prefer VirtualBox due to the GUI combined with snapshot capabilities, the others provide some additional benefits.  Most of the malware that I have analyzed that was VM aware looked for VMware signatures.  A couple of the samples did things with the floating point processor to detect abnormal results and detected VirtualBox, but I have not observed any that directly look for QEMU signatures.   Additionally, if you have a server in your arsenal, you can install the free VMware ESXi hypervisor to build intricate networks and manage the multiple virtual machines through one interface.  One of the negatives of the ESXi application is getting memory snapshots from the hypervisor to the machine you use to do memory analysis.

For paid applications, nothing beats VMware Workstation 8.  It has the snapshot capabilities, virtual network editor, and can run VMs off remote hosts or act as a client for an ESXi server.

All of the applications can run in a Linux environment, which adds a layer of protection when conducting malware analysis.  Typically the malware to be analyzed will be targeted at Windows.  If the host has a Windows operating system moving malware around can pose a danger to the host or cause the host’s AV solution to clean a sample before you can get it the guest.  These problems can be mitigated by using password protected archive files to move malware around or utilizing scp to move files from non-Windows source to the destination.  But, with many of the desktop emulators, and the ESXi host, it is possible to move files through the clipboard or drag and drop with the host.  This can be particularly useful when exporting reports generated by tools in the test or analysis environment.

My preferred method is to use Workstation 8 on a Linux host. You can build a series of VMs that can be brought into service very quickly.  Tests can be run and then the guest reverted to a pristine state.  At least one of the guests needs to be a vanilla install of each operating system without VMware tools being installed.  VM aware malware can still detect that it is running in a VM, but the installation of VMware tools makes that check trivial since there are registry entries associated with them.  Keeping some vanilla installs without VMware tools lets you quickly move a sample into an environment where samples may otherwise miss they are running in a VM.

Last, no matter how many VMs a malware analyst has at their disposal, if they need to be fully covered for dynamic testing, they have to have some hardware they can quickly build up and then revert.  The easiest way to do this is with a FOG server and an old desktop or laptop.  Using the FOG server you can build a variety of hardware configurations, save the image, then select which you want pushed to the hardware at boot using the PXE boot options.  This is a lot slower than VM software utilizing snapshots, but it is a lot quicker than having to reconfigure a machine for a test each time.  I will plan on covering how to set up and deploy a Fog server in a later blog post.

8 thoughts on “Tool Talk #1

  1. Hi.

    Maybe you could give it a try to Sandboxie + Buster Sandbox Analyzer.

    I would like to hear your comments about it.

    Regards.

  2. sanboxie protect you only from rezident malware (drop files on hdd, mod regs etc.) if you run for example a RAT/info stealer in sandbox the info will be send from your computer

    • There are at least two good solutions to solve this problem:

      * Sandboxie can be configured to avoid that sandboxed processes access certain folders and registry keys, so you could restrict the access to the areas with sensitive information.

      * You could use a dedicated OS to run malware where there is not any information you would mind being leaked.

      Other solutions I do not like:

      * You could restrict internet connections from Sandboxie. The problem is you will miss network behaviors.

      * You could use a tool like FakeNet (sourceforge.net/projects/fakenet/). In this case you will miss network behaviors in Buster Sandbox Analyzer reports, but you could see them in FakeNet.

  3. yes and no
    you need a dedicated p.c. for analyses anyway, and you need to add some fake info like (passwords saved in browser, msn logins, etc), if a malware programmed to steal info cant find this info will not connect to internet .

    use a freezing software(like deep freeze) is much better then a sandbox

    p.s. most of malware have anti-sanboxie

  4. Deep Freeze can not be used for malware analysis like Sandboxie.

    If you had readed about Buster Sandbox Analyzer you would know that it has anti-anti-Sandboxie.

  5. :))
    deep freeze+regshot+Sysinternals+wireshark will be ok
    is you are a hard malware analyzer ida or olly is enough

    anti-anti-sandboxie cand be detected too, like vm can be detected, like debugger, etc any virtual environment can be detected, ideal is to analyze on real machine but take much time, so deep freeze is a compromise
    *is less detected then sandboxie
    *faster then vm
    *it protect your computer
    *but if your malware need computer restart to run, you have to do some tricks
    *etc
    depends of what you want to analyze, if you analyze a program /month is you can use sandboxie, if not choose a better environment
    if you don’t have time to build a lab for analyzing use one of many on-line tools
    http://mwanalysis.org/?site=1&page=submit
    http://www.threatexpert.com/submit.aspx
    http://anubis.iseclab.org/
    etc.

  6. You don´t understand what I want to say. I will explain better..

    Deep freeze is a software to restore the system after changes on disk have been performed, only that.

    Sandboxie not only prevents changes on disk, it also allows code injection (InjectDll feature), it alerts to direct writes to disk, it stores changes to registry in a file, etc, etc.

    That´s why I say Sandboxie is better than Deep Freeze to analyze malware.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>