Sometimes when analyzing malware, we discover that it behaves differently when run in a virtual machine (VM). It may exhibit different behaviors or it may just not run at all. Being able to quickly test these samples on real hardware in an efficient manner is a vital function to have available in a Malware Lab. This can be accomplished by building up a Preboot Execution Environment (PXE) Boot Server and creating various pre-configured machines state images to deploy as needed.
The goal of a PXE Boot Server is to enable a disk image to be loaded onto a target machine when it boots. The target machine is configured to look for a PXE server at boot time. Essentially, the target machine looks for a DHCP server that will assign it an IP Address on the LAN and then load a small executable onto the target machine. This executable is a boot time loader. This small application can do many things, including uploading the current disk image to the server, download a previous disk image and write it to the HD, or wipe the HD. The machine may also be booted from the HD normally, without any of the boot loader’s functions being called on. The easiest free method to do this is to build a FOG Server based on the FOG Project, http://sourceforge.net/projects/freeghost/, by Chuck Superski and Jian Zhang.
In a Malware Lab, a PXE Server is useful for making multiple images of a target machine in various configurations and being able to select the configuration initialized when the target machine is booted. This allows for a target machine to be built with various tools installed and pre-configured on a variety of OS versions. For example, I often use WinXP SP3 with a variety of Java, Flash, and Adobe Reader installed when trying to identity what a sample is exploiting. I may also want to run a sample or view a page in IE6, IE7, IE8, or IE9. In large organizations that have multiple baseline images for deployed hardware, a copy of each baseline can be maintained. I can build the hardware up the way I want it, with the installed applications pre-configured, and take an image of its state. This is much like when using VMware Workstation or another hypervisor application that allows a user to take a snapshot of a target machine’s state. This image can then be used to restore the target machine to the state it was in when the image was taken. While this is nowhere near as fast as hypervisor snapshotting, it is fast enough to be useful. Typically I experience times between 5 and 20 minutes to restore a machine based on whether I have chosen to write the whole disk or simply partitions.
When building a Lab Network for use with a FOG Server, I isolate the network with a Linux server acting as a gateway offering a variety of services such as NAT routing, DNS, NTP, firewall, and NFS services. I typically build these gateway servers with the Zentyal suit (http://www.zentyal.com/) which lets me manage the server with a web GUI and have granular control of the services available and access in and out of the network segment. I store the drive images on a network share on this server, and leave the FOG Server just running DHCP and PXE boot services for this network segment. I did not include the network storage in the example presented here.
For this demonstration I will be using VMware Workstation 8 with a custom network. In reality, it may be better to utilize hardware for the FOG Server, but I have had success running it in ESXi and VMware workstation environments.
On this network there will be two primary machines:
- FOG Server built with the VM image (v0.27), default Ubuntu install, and updated (Ubuntu first, FOG service second) with an IP Address: 172.16.25.2/24 GW/DNS 172.16.25.1
- FOGTestXP (I could not get the imaging to work with VMware workstation target [It would image but not deploy correctly] so I will have to describe how I used it to image an old netbook. The screen shots were created using the VMware FOGTestXP) A base install of WinXP SP3 with No updates, No AV installed, 1GB Memory, 20GB HD, and an IP Address of the OS 172.16.25.3/24
The first step is to open the FOG Server VM image for v0.27 in VMware Workstation. For this example, I chose the normal Ubuntu install (defaults). When the VM powers up, the install process begins automatically. The user will be presented with a series of questions. For my Malware Lab, these are the settings I used:
- My answers to the install questions:
- What type of installation would you like to do? [N] n
- What is the IP address to be used by this FOG Server? [current address]172.16.25.2
- Would you like to setup a router address for the DHCP server? [Y/n] n
- Would you like to setup a DNS address for the DHCP server and client boot image? [Y/n] n
- Would you like to change the default network interface from eth0? If you are not sure, select No. [y/N] n
- Would you like to use the FOG server for dhcp service? [Y/n] Y
- When prompted to log in, the username is root and the password is password
- Once you get to the main menu, update Ubuntu first, then update FOG
- The FOG Server needs access to the Internet to perform both of the update functions
- When the FOG service is updating, the above listed questions will be asked again. Select the same answers.
- There will be an additional question about languages
- This will update to the current version of FOG (as of this writing, 0.32)
- Test the FOG Server by putting the FOG Server’s IP address into a browser on a machine that has a route to the FOG Server
Do a clean install of the target machine and then install any extra software that should be available when the image is restored. After the target machine OS and software are in the state that needs to be saved, gracefully shut down the target machine. Make sure the target machine is connected to the same network segment as the FOG Server. Boot the target machine and enter the Bios. Once in the Bios, insure that the network card is listed before the HD on the boot order list and save the configuration.
After saving and going through its reboot cycle, the FOG Server should answer the PXE DHCP request of the target machine and send the small boot loader application. The screen on the target machine should look like this:
As indicated in the figure, select Perform Full Host Registration and Inventory and hit Enter. Go with the default values for all questions. Do not image the machine during this phase. After the Inventory is done, power off the target machine.
I usually check the Shutdown after task completion button, but it is not required. Then click the Upload Image button. This will set the task so the next time the target machine boots, it will send an image of the disk to the FOG Server.
While there was an initial burst, my LAN settled on about 900 MiB/min so the image took about 4 minutes to save.
Once the image is saved, the target machine will shut down. In the future, I can restore the machine to the state it was in when this image was taken by selecting it for deployment in web GUI. Get back to the basic tasks for the target machine, and selecting Deploy:
There you have a basic setup for a FOG server. While I prefer to use virtual machines, a FOG Server is a useful tool for analyzing malware that is VM aware. It allows for the recording of a machine state and convenient GUI based management of the hosts and images.