Curious to know exactly what makes a piece of ransomware or spyware tick? Basic malware analysis can be conducted by anyone who knows their way around a computer. All you need is a little ambition and a virtual machine. With a virtual machine, you can simulate an ideal environment to see how a malware sample interacts with everything from the file system to the registry. Malware testing can go a long way in protecting your network from the most dangerous of cyber threats.
The ability to simulate multiple OS instances on a single physical machine makes virtualization extremely useful in behavior-based analysis. Here are just three advantages that come to mind:
1. Easily creates ideal testing conditions: The flexible nature of virtualization is ideally suited for testing all sorts of applications, malware included. You can allocate all the virtual RAM, storage, and processing power the testing environment requires.
2. Supports cross-platform analysis: Malware analysis often takes place across multiple systems to give testers an idea how a specimen interacts with different OS platforms. Virtualization makes it possible to create a number of virtual systems as Windows, Mac OS X, and Linux guests. This eliminates the need for bulky physical machines.
3. Provides system protection: Last but certainly not least is the security component. By containing your testing activities inside a virtual machine, you can protect the rest of the system from harm.
Prepping for Malware Testing Your VM
You don’t have to be a dedicated security expert to get an analytical view of malware. A properly configured virtual machine will help you play cyber CSI by serving as your very own laboratory. Of course you need the right tools in the form of virtualization software and capable hardware. Luckily I’m ready to go with a copy of Oracle’s free hypervisor VirtualBox and a brand new laptop fine-tuned for scenarios just like this. Below I’ve outlined the process of setting up a virtual machine tailored for malware analysis:
Note: The process of creating a virtual machine is similar for most software. The exact setup process varies from one hypervisor to the next. These are general steps and don’t pertain to any one virtualization program.
- Create a new virtual machine.
- Choose an OS type. I hosted the test on Windows 10 so I opted use my favorite Linux distro Mint (Ubuntu) as the guest system.
- Allocate RAM. Most VM configurations recommend a minimum of 1024 MB. While optimal performance is essential for your testing environment, you don’t want to deprive the host system. I would allocate no more than half your total RAM to the VM.
- Create a virtual hard disk. We want our VM to come as close as possible to a physical machine. So we’ll create a virtual hard disk that gives the malware has access to a file system, files, folders, etc.
- Allocate storage. Most hypervisors allow you to allocate storage space dynamically or by a fixed value. If space on your box limited, or you’re planning to install a guest OS that demands more storage than average, you need to figure out how much you have to spare for your VM.
- Install the guest OS. Once our virtual machine is up, we want to get it running by installing the virtual operating system. All we’re doing here is following the standard installation and setup process. This may move a little slower for obvious reasons.
- Snapshot your VM. The snapshot feature in virtualization is similar to the Restore Point feature in Windows. This preserves the state of the guest OS to a specific point in time that can be restored on demand. Having a snapshot is very handy in a scenario such as this. For example, if the malware sample causes the environment to become unstable, you can instantly revert back to a clean VM and essentially start your analysis from scratch.
Professional backup software like ShadowProtect SPX can help you take an image of the VM and then manage, replicate and restore just as you would physical machine backups.
Protecting Your Host from Malware
There was a time when virtualization was viewed as a safer way to do IT. This theory is based on the fact that it separates the virtual system from the host physically installed on the underlying hardware. What those impressive abstraction capabilities really did was leave system administrators with a false sense of security. The infamous Venom bug found in Xen, KVM, and my dear VirtualBox proved that it was possible for malware to escape a virtual environment and sink its hooks into the host system. Patches have since been released, but the sheer revelation was a rude awakening to say the least.
Virtualization isolates the guest OS in its own cozy little box – meaning it can’t connect to the host file system unless you give it access. In the event that you need to swap files between both systems via a shared folder, you can give yourself a peace of mind by setting the permissions on that folder to read-only. Doing so will prevent the VM from making changes to the host. While the chances of malware sneaking out of a virtual environment are very unlikely, you never can be too careful. Simply tinkering with malicious code is risky business. Doubly so if IT security isn’t your specialty.
Where to Find Malware Samples
With your virtual machine handy, you’re ready to load up some malware and set your analysis plans into motion. This can be done in a couple of ways. You can start by downloading an obviously infected attachment from your inbox and clicking the executable file. Everyone has at least one suspicious email in their inbox. Or you can grab a sample from one of the many online repositories that offer live malware strains for testing and educational purposes. For example, theZoo is a section of GitHub that provides access to classic viruses and worms as well as backdoors and ransomware. In some cases, you can tweak the malware from the source code and change the behavior to get an idea how future strains might operate.
Malware analysis can be an insightful and exciting way to better understand the annoyances that pose such a serious threat to your IT security. Having said that, most of the repositories you visit for samples will likely greet you with a similar warning: malware is dangerous so if don’t know how to handle it, you probably shouldn’t be running it. Let those words simmer before throwing on your white hat and playing cybersecurity researcher.