null_endian

Lab Question

5 posts in this topic

Hello,

So I am new to this and reading several books, including Practical Malware Analysis.

I only have 2 usable computers: 1 is my main machine which is a brand new i7 with 16 GB of RAM expandable to 32GB and a GPU with Win 10, the other is my old Core 2 Duo T6600 machine with 4GB of RAM from 2009 that I have Linux on.

My initial thought for creating a malware analysis lab was to use the Linux box with a virtual machine running Windows... However, last night I quickly discovered that was not going to happen because the computer is frankly too old to run a VM smoothly, especially since the processor doesn't have virtualization.

So that means I gotta do it on my main machine unfortunately because that's all I can afford right now. I'm not looking for a 100% guarantee here but these are the precautions I figure that I would take just in case malware ever broke out of my VM:

1. Always keep VirtualBox up to date.

2. Analyze malware that is already well-known and isn't totally destructive in the first place (start with spyware and adware, for example).

3. Analyze malware that my main machine's anti-malware software recognizes so that if it were to get out somehow, at least it would be picked up by the software and I could promptly remove it.

4. If I do decide to work on a bigger threat such as a ransomeware or a mbr virus or something, make sure that the host machine is completely backed up first.


This is all I could think of. Once again, unfortunately I just don't have the resources to have a fast dedicated lab machine right now but I can't let that stop me from getting into malware analysis as I'm highly interested in it, plus, from the sounds of it, malware escaping a VM isn't super super common and I figure in a controlled environment, I can make sure I work on malware which doesn't do that for a while. Any other advice/critiques appreciated. Last but not least, when someone says to isolate the lab's network, how important is this on a plain wifi connection? I have several PCs on a wifi router but other than connecting to the router to access the net, they are not networked (I don't do file sharing with them). Does this mean that I still should not even access this wifi with the lab computer??? SOrry for my ignorance but I have little experience with home networks.

Edited by null_endian

Share this post


Link to post
Share on other sites

Just an idea - maybe use your old laptop as a full-featured malware research platform? Get a small SSD, put WinXP or Win7 and reversing tools on it, prepare a full HD image and restore from flash drive after each reversing session?
If you want to use Linux, either dual-boot your main machine, or have Linux in a VM on main machine.

 

As for using main machine and VirtualBox - ordinary malware doesn't escape VMs. But people do make mistakes. Keep that in mind when considering what's important and what's not.

Step #1 - make sure you don't accidentally run malware files on your main machine. Simplest solution is to rename all files to a different extension to avoid misclicks (.exe -> .ex_, .bat -> .ba_, etc..). You can also use Windows administrative policies to lock down the folder where your malware lives, so no files can be run from that folder.

Step #2 - think how you'll get data to and from the VM. If you'll be sharing a folder of your main machine with a VM, assume that everything in that folder is potentially infected and should be never executed on main machine. See #1.
If you'll be using clipboard, you need to be careful what you copy-paste and where.

Step #3 - think how you'll set up network in the VM. Ideally your "lab" would be on an isolated network - but it's a pain to set up. I personally prefer to have a VM without network (or NAT, if it's really really necessary).

Step #4 - make a regular backup of everything of value. If you play with malware, the question is not if you'll get infected but when. 

 

2 people like this

Share this post


Link to post
Share on other sites

There are two other suggestions that I can give.

One is that there are many specialized Linux LIVE distros specialized for Malware Analaysis. Just do a quick google search and ask if you have further queries.  We do use them in many a case scenario, especially when analysis needs to be done when we do not have access to a full blown lab, in the field.

Another way : create a Windows to Go LIVE USB, Install all your tools on it. You can directly boot from it on your PC and then do your analysis. If you go for this method, MAKE SURE that you do NOT mount the system's Hard Drives, using the appropriate policy/registry settings , as otherwise, the malware can simply jump onto and infect the hard drives directly! Also, make sure that you run with LOWEST privileges possible in the Windows to Go (don't run as ADMIN for example. Guest or User is fine).

While sophisticated/targetted malware may be able to infect the hard drive from the USB, generally speaking, most of the common malware are confined to only the OS on which they are running on, in addition to the disk partitions that they can "see". So as long as you do not MOUNT the System's Partitions/Hard Drive, you are generally OK.

This method of using the Windows To Go drive is one of my personal favourites that I use quite regularly in the field, when I visit my clients' offices and do not have access to the lab at that time. We create  and keep several 32GB USB Pen Drives (UFDs) with an image of Windows and tools on them and then use them as necessary.

Do note that the best practise would be to EITHER configure the Windows To Go drive to RESET itself to original state after a reboot OR to just format and re-image the drive after every "major" session.

We use the "re-imaging method" as that is more sure, rather than rely on the Windows OS to reset itself after a reboot.. What we do is to initially create a MASTER Windows-To-Go  image wit hall the Analysis Tools installed using any imaging tool (like Symantec GHOST for example) and then "apply" the image to any and all USB drives that we need to make as Windows to Go. Takes around 15 mins with an USB 3 port. There is of course the concern that repeated reformats and writes could shorten the life of the UFD drive, but then again, with the drives being so cheap these days, that should not be a major concern.

If you decide to go the way of the Windows to Go method and if you need any further info, please let me know  and I will advise further.

All said and done what we always recommend if you have the resources - Keep the Malware Analysis machines PHYSICALLY separate, wherever possible (ie. Use a different physical computer for the Malware Analysis if possible).

Cheers :)

 

1 person likes this

Share this post


Link to post
Share on other sites
Quote

Step #1 - make sure you don't accidentally run malware files on your main machine. Simplest solution is to rename all files to a different extension to avoid misclicks (.exe -> .ex_, .bat -> .ba_, etc..). You can also use Windows administrative policies to lock down the folder where your malware lives, so no files can be run from that folder.

As an alternative, you can keep your malware in the main machine as a password protected rar/zip archives... as regular pass: "infected".

And never unpack those files on your main machine.

 

Also, don't forget to isolate your vm before starting (VMware related topics... it's just better, IMO!):

"Bypassing Virtual Machine Detection on VMWare Workstation":

http://www.unibia.com/unibianet/systems-networking/bypassing-virtual-machine-detection-vmware-workstation

And this one as well: "Can you hide virtual machine from a program?"

https://communities.vmware.com/thread/216331?tstart=0

 

*P.S: maybe there are also similar topics for VBox

*P.P.S: some malwares might infect your router, so yeah... better to not connect your box to your home network ;)

 

Happy analysis!

2 people like this

Share this post


Link to post
Share on other sites

@Techlord Hi

If we wanna remove some Windows pre-installed packages(to make it little less bulky), So any suggestions which components we can remove safely(like cortana) & how to remove them safely?

Thanks in advance!!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now