As a network manager, malware analysis may not be our most important task. However, if a malware affects your desktop application, you may consider the nature of this unfamiliar malicious code. In general, starting from behavior analysis, you can start your investigation, that is, to observe how malware affects the file system, registry, and network, and quickly generate extremely valuable results. Some virtualization software, such as VMware, is very helpful in this analysis process.
VMWare is a "Virtual PC" software that allows you to run two or more Windows, DOS, and LINUX systems simultaneously on one machine. VMWare uses a completely different concept than the "Multi-Boot" system. Multiple boot systems can run only one system at a time. During system switching, you must restart the machine. VMWare is truly "running" at the same time. multiple operating systems are switched on the platform of the main system, just like standard Windows applications. In addition, you can perform virtual partitioning and configuration in each operating system without affecting the data on the real hard disk. You can even use the NIC to connect several virtual machines to a LAN, which is extremely convenient. But today we will discuss how to use VMware to analyze malware.
Benefits of using VMware to analyze malware
VMware supports simulation of multiple computers running on one physical system at the same time. Compared with an experimental environment that uses completely different physical structural components, this method has multiple advantages for malicious software behavior analysis:
In the analysis lab, it is usually beneficial to have several systems, so malware only interacts with simulated Internet components. With VMware, you can build a multi-component laboratory without the hassle of being bloated with multiple physical systems.
Snapshots of system status can be captured before malicious software is infected, and time can be saved through regular snapshot analysis. This feature provides a simple way to restore to the target system in almost an instant. VMware makes this recovery quite easy through its integrated snapshot features. As a commercial product, VMware Workstation allows multiple snapshots to be generated. VMware Server is a free software that supports only a single snapshot. VMware Player is also a free software and cannot capture system snapshots.
VMware's host-only Network option is extremely convenient for connecting to a virtual system through a simulated network without additional hardware. This setting makes analysts less interested in connecting the lab environment to the production network. When promiscuous mode is used for monitoring, the Host-only network allows the virtual system to view all data communication on the simulated network. This makes it easy to interact with the monitoring network.
Starting to use VMware to analyze malware
Preparing a VMware-based analysis lab is quite simple. You need a system with large memory capacity and disk space to act as a physical host. You also need the required software: VMware Workstation or Server, and the installation media for the operating system to be deployed in the lab.
VMware imitates computer hardware. Therefore, you must install the operating system on each Virtual Machine. These Virtual machines are created using VMware's new Virtual Machine Wizard. After the operating system is installed, install the VMware Tools package to optimize VMware operations. Install appropriate malware analysis software.
I recommend that the lab environment have several virtual hosts with different operating systems. Each operating system represents the target of malicious software attacks. This allows us to observe malicious programs in the local environment. If you use VMware Workstation, you should capture snapshots of the virtual system at different time points during the secure update and installation process to analyze malware at different patch levels.
Secure Production Systems
When dealing with malware, you must take preventive measures not to infect the production system network. If a vulnerability in the VMware installer is not properly processed or the malicious program sample abused, this infection and destruction will occur. There are already several well-known vulnerabilities in VMware, which theoretically allow malicious code to find a way to access a physical host from a virtual system. Interested readers can obtain relevant documents.
To mitigate these risks, I suggest the following methods:
Keeping up with the pace of VMware security patches, we often browse its website and download its latest patches.
If you use a physical host in a VMware-based testing environment, do not use it for other purposes.
Do not connect a physical testing system to a productive network.
Use host-based intrusion detection software to monitor physical hosts, such as a file integration checker.
Use clone software to regularly remirror physical hosts, such as Norton Ghots. If this is too slow, consider using hardware modules, such as Core Restore, to undo changes to the system status.
One challenge of using VMware for malware analysis is that malicious code may detect whether it is running in a virtual system, which indicates to the malware that it is being analyzed. If you cannot modify its code to delete this function, you can reconfigure VMware to make it run more secretly. You can refer to the following documentation to set the. vmx file of the VM. The biggest problem with these settings is that they may reduce the performance of the virtual system, and note that these settings are not supported by VMware.
Virtualization selection and policies
Of course, VMware is not the only virtualization software that can be used for malware analysis. Common options include Microsoft's Virtual PC and Parallels Workstation.
Virtualization software provides a convenient and time-saving mechanism for building a malware analysis environment. However, you must establish necessary controls to prevent malware from escaping from your testing environment. With a well-configured test environment, we can take full advantage of malware analysis techniques.