Hardening VMs for static malware analysis
How to prepare a VM for the purpose of static behavioral analysis of malware
Problem
At the Helpline we sometimes receive requests to analyze a malicious file, URL or phishing message. It is dangerous to download and analyze these files on your work environment. This article provides instructions on how to set up a virtual machine and secure it for use in analysis.
Solution
When conducting static analysis, the file being studied is not meant to be run. The intention is to analyze the information that is hidden in the file itself. Although it should be safe to conduct such analysis on your work environment, it is important to consider that some malware is self-triggered and that human errors sometimes happen. For these reasons it is better to have the malicious file in a secure environment before proceeding with analysis.
Selecting and installing the Guest OS
To conduct static analysis of files you will need different tools that allow you to extract source code, look at file fingerprints and hashes, and perform memory dumping and packet detection. Selecting the right operating system for your guest VM is key. It is also important to select a guest OS that is different from the target OS of the malware: for example, if the malware is made for Windows, then you should use Linux. This will prevent affecting the VM if the file is accidentally executed.
There are several Linux distributions that already come with many of the tools needed for static analysis, such as:
- REMnux: A distro for both static and dynamic analysis.
- Kali Linux: Kali is meant for penetration testing, but also includes tools for forensic analysis and reverse engineering that can be useful.
Selecting the virtualization software
Oracle VM’s VirtualBox is a free and open-source hosted hypervisor for x86 virtualization, currently owned by Oracle Corporation. Because it is open-source it is the go-to option, and this article will focus on its configuration.
An alternative to VirtualBox is VMware Player, a hosted hypervisor that runs on x64 versions of Windows and Linux operating systems. It is distributed as freeware and is a valid option if you are more familiar with it than VirtualBox.
Hardening the virtualization software and VMs
Follow these recommendations to secure the virtualization software and prevent the malware from affecting the host OS in case it is accidentally run.
1. Update software to the latest available version
Make sure you are running the latest version of the virtualization software. If you’re not sure which version you have, download the latest version from the official website or by using the official Linux repositories:
2. Isolate network connectivity
Make sure that the guest OS does not have access to the Internet by using the Host Only Network option.
3. Remove Unnecessary Hardware Devices via BIOS
Disable:
- Serial ports
- Parallel ports
- Floppy disk controller
4. Uninstall VirtualBox Guest Addition
Some advanced malware can detect if it is being run inside a VM and adjust its behavior or delete itself to prevent analysis. For this reason it is recommended to uninstall the extension VirtualBox Guest Addition.
5. Disable Shared Folders
Shared Folders are a way of copying files from the guest OS to the Host OS and vice-versa. It is good practice to disable this functionality to prevent malicious files from adding files to your Host machine.
6. Take a Snapshot
Once your VM and virtualization software are configured and ready for analysis, take a snapshot and save it. This way you will have a clean version of your guest machine for every individual analysis.
7. Do not execute samples
Static analysis is meant to analyze the file itself and not its behavior. A good practice is to remove the file extension from the file name to prevent the OS from automatically running the file.
Comments
When conducting static analysis, the idea is to study the malicious file and its contents without executing it. All the measures explained in this article are fail-safe mechanisms to prevent problems in case the file is accidentally executed.
Additional resources
- Cheat sheets for reverse engineering and malicious file analysis
- FLARE VM - a fully customizable, Windows-based security distribution for malware analysis
- Cuckoo Sandbox: open source automated malware analysis system
- Book: Reverse Engineering for Beginners
- Static malware analysis guide
- Basic static analysis