Using VMware Virtual environments to make malware visible

As a network administrator, malware analysis may not be our main job. However, if a malware affects the use of your desktop application, you may consider the nature of this unfamiliar malicious code. In general, starting your investigation with behavioral analysis, which is to observe how malware affects file systems, registries, and networks, can quickly produce highly valuable results. Some virtualization software, such as VMware, can help a lot in this analysis process.

VMware is a "Virtual PC" software that allows you to run two or more windows, DOS, and Linux systems on a single machine. VMware uses a completely different concept than the multiple boot system. Multi-boot system can only run one system at a time, it needs to reboot the machine when the system switches. VMware is really "at the same time" running, with multiple operating systems switching on the primary system platform, as standard Windows applications do. And each operating system you can perform virtual partitions, configuration without affecting the real hard disk data, you can even through the network card to a few virtual machines with a network card connected to a LAN, extremely convenient. But today we're going to talk about how to use VMware to analyze malware problems.

Use VMware to analyze the benefits of malicious software

VMware supports emulation of multiple computers running on one physical system at the same time. Compared to an experimental environment that uses completely different physical structural components, this approach has several benefits for the behavior analysis of malicious software:

In the analysis lab, it is often useful to have several systems, so malware only interacts with the impersonated Internet part. With VMware, you can build a multiple-component lab without having to bear the bloated burden of multiple physical systems.

The ability to capture snapshots of system state before malware is infected, and to save time by periodic snapshot analysis. This feature provides a simple way to recover to the target system almost instantaneously. VMware makes this recovery fairly easy with its integrated snapshot features. VMware workstation, as a commercial product, allows multiple snapshots to be generated. VMware Server is a freeware software that supports only a single snapshot. VMware player is also a free software that cannot capture system snapshots.

VMware's host-only network option is extremely convenient for connecting virtual systems through a simulation network without additional hardware. This setting allows the analyst to not be too interested in connecting the lab environment to the production network. When listening with promiscuous mode (promiscuous mode), the Host-only network allows the virtual system to view all data communications on the emulated network. This makes it easy to monitor the network's interactivity.

Start using VMware to analyze malicious software

Preparing a VMware Based analysis lab is a fairly straightforward thing to do. You need a system that has a large capacity of memory and disk space to act as a physical host. You also need the necessary software: VMware Workstation or Server, and installation media for the operating system to be deployed in the lab.

VMware mimics computer hardware, so you have to install the operating system into every virtual machine that is created with the New VM Wizard (Virtual Machine Wizard) of VMware. After the operating system is installed, install the VMware Toolkit (VMware Tools package), which will optimize VMware operations. Then, install the appropriate malware analysis software.

The author recommends that the experimental environment has a virtual host of several different operating systems, and each operating system represents a potential target for malicious software attack. This makes it easier for us to observe malicious programs in our local environment. If you are using VMware Workstation, you should capture snapshots of virtual systems at different points in the security update installation process, allowing you to analyze malware at different patch levels.

Ensuring the safety of production systems

When dealing with malware, precautions must be taken not to allow the production system network to be infected. This infection and damage can occur if a bug in the VMware installer is abused without proper processing or a sample of a malicious program. There are already several well-known vulnerabilities in VMware, which theoretically allow malicious code to find a way to the physical host from a virtual system. Interested readers can obtain relevant documentation from this.

To mitigate these risks, the author recommends the following methods:

Keep up with the pace of VMware security patches, often browsing its web site and downloading its latest patches.

Use a physical host for a VMware based test environment and do not use it for other purposes.

Do not connect the physical test system to the productive network.

Monitor physical hosts with host-based intrusion detection software, such as a file Integration checker.

Use the cloning software to periodically mirror the physical host, such as Norton Ghots. If this is too slow, consider using a hardware module, such as Core Restore, to undo changes to the system state.

One of the challenges of using VMware for malware analysis is that malicious code may detect whether it is running within a virtual system, which will indicate to the malware that it is being parsed. If you can't modify its code to remove this feature, you can reconfigure VMware to make it run more secretly, and refer to the following documentation to set up the VM's. vmx file. The biggest problem with these settings is that they may degrade the performance of the virtual system, and note that these settings are not supported by VMware.

Virtualization Choices and policies

Of course, VMware is not the only virtualization software that can be used for malicious software analysis. Common choices include Microsoft's Virtual PC and parallels Workstation.

Virtualization software provides a time-saving mechanism for building a malicious software analysis environment. However, be sure to establish the necessary control to prevent malware from escaping your test environment. With a well configured test environment, we can take full advantage of the malware analysis techniques.