Sometimes when analyzing malware, we discover that it behaves differently when run in a virtual machine (VM). It may exhibit different behaviors or it may just not run at all. Being able to quickly test these samples on real hardware in an efficient manner is a vital function to have available in a Malware Lab. This can be accomplished by building up a Preboot Execution Environment (PXE) Boot Server and creating various pre-configured machines state images to deploy as needed. Continue reading
To start contributing I thought I would cover some of the tools that I use, and how I use them.
The most valuable tool for any malware analyst is the software that hosts their virtual machines in both their test and analysis environments. While windows licenses cost money, the virtual machine software can be free. Oracle’s VirtualBox, the QEMU Project, and VMware’s Player are free applications that can host virtual machines. While I prefer VirtualBox due to the GUI combined with snapshot capabilities, the others provide some additional benefits. Most of the malware that I have analyzed that was VM aware looked for VMware signatures. A couple of the samples did things with the floating point processor to detect abnormal results and detected VirtualBox, but I have not observed any that directly look for QEMU signatures. Additionally, if you have a server in your arsenal, you can install the free VMware ESXi hypervisor to build intricate networks and manage the multiple virtual machines through one interface. One of the negatives of the ESXi application is getting memory snapshots from the hypervisor to the machine you use to do memory analysis. Continue reading