VirtualBox: How to Setup your Malware Analysis

From Embedded Lab Vienna for IoT & Security
Jump to: navigation, search

Summary

This documentation will provide you with a step-by-step guide to creating a virtual machine over VirtualBox. Though, we will not create a generic VM! This VM will provide you with a completely non-detectable environment for Malware Analysis.

As advanced malware nowadays is able to detect its environment (e.g. scanning for RAM, CPU cores, disk space, registry keys and even drivers) they are now able to stop their execution if they detect a virtualized environment. Therefore it is critical to setup your malware analysis VM correctly.

In order to render your VM undetectable, we have chosen two state-of-the-art tools on Github. One only supports Windows as its host OS and the other is relying on dependencies only available on Ubuntu. Though we will use Windows 7 on both as the VM's OS as it is the most popular for malware attacks.

How to read this documentation

As I wanted to keep everything neat and tidy, I opted to merge my screenshots into bigger screenshots. The screenshots are to be read from left to right and you will probably have to enlarge the picture in order to decipher all configuration options. In addition keep in mind, the pictures show all configurations that need to be tweaked. There will be some steps not documented, which means to keep the default configuration there.

Requirements

  • Host Operating System: Ubuntu 16/18.04 or Windows 7/10
  • Guest Operating System: Windows 7 Home Premium 64-Bit
  • Software: VirtualBox 6.0.14
  • Tools for VM-hardening: VBoxHardenedLoader (for Windows) and antivmdetection (for Ubuntu)
  • Tool to check hardened VM: Pafish
  • Tool to simulate network: FakeNet

The Tools

Before diving into the setup, here is a quick guide on what FakeNet and Pafish are and how to use them.

Pafish

Pafish is a vm detection tool. It performs checks on its environment to detect whether it is run in a virtual or supposedly real system. The checks include the following:

  • Generic checks
    • Time to get a response from CPU (read timestamp counter/rdtsc)
    • RAM size
    • Disk space
    • CPU core count
    • CPU virtualization bit
    • Mouse movement
  • Application-specific checks
    • VirtualBox registry key checks ("VBOX")
    • VirtualBox mac address
    • VirtualBox driver files
    • VirtualBox network share

Starting Pafish will automatically run all checks and immediately give you feedback on which tests failed (got detected) on your VM.

FakeNet

Unfortunately, Pafish does not scan for a working network connection. Nonetheless, this does not exclude advanced malware from scanning for it. In addition, in order to analyze sent packets by malware, you would need to extensively mimick a fake network. For this we have the simple approach of using FakeNet. It allows you to intercepts and analyze the packets (all traffic is stored as .pcap files). "Installing" the standalone executable is straight forward. You download it from FakeNet/Releases and run the program as administrator on your VM.

For our case, we did not need to configure anything different than default. But to tailor it to your needs simply copy the default-config file at "configs\default.ini" and start creating your own. When finished simply start FakeNet with "-c FILE" flag and you are good to go!

Sandboxing on Windows

Before we start, make sure you have downloaded the following:

  • Windows.iso
  • VirtualBox
  • VBoxHardenedLoader
  • Pafish (recommended)
  • FakeNet (recommended)

Regarding Pafish and FakeNet we recommend you to download them beforehand and make your own windows.iso that includes both. This will enable you to just drag and drop both from the virtual Windows installation CD on your VM, without the need to have a functioning Internet connection and download them.

Installing VirtualBox

VirtualBox Setup and Home Screen

The first step is to install VirtualBox. During the setup, we have to prevent it from installing the network drivers as they provide a weak point malware likes to scan for. After, finish the setup with the remaining configurations on default.

Basic VM setup

Having installed VirtualBox you should see the home screen with a button to create a new virtual machine and settings.

VM Basic Setup

As seen in the screenshots above (goes from left to right) we have assigned our VM the name 'win7' and chose the default path to save it. Next, we again chose the default options (VDI, because we will only use this disk with VirtualBox). The critical configuration here is the allocated disk and RAM size. Most advanced malware and our checking tool (Pafish) scans if your disk has less than 60GB and 2GB of RAM. So we advise you to set the disk to at least 64GB (recommended is +80GB) and RAM at least 2GB.

Advanced VM setup

VM Advanced Setup Part 1

After finishing the basic setup VirtualBox will have created your VM and is able to start it. However, before you do, we still have to configure some more options. Thus, go to 'Settings' (for your VM, in our case it is 'win7'). Here, make sure to have the Drag'n'drop and Clipboard sharing disabled. If one of them is active it means that you have VirtualBox Guest Additions installed. This leaves you with many more vulnerabilities that advanced malware can scan for then with benefits.

Next up, make sure you have IO/APIC enabled and at least 2 CPU cores configured. Disabling IO/APIC prevents you from choosing more than 1 CPU core as it is the layer that allows your VM to send interrupts to more than one core. Most other tutorials say to enable PAE/NX. Though there is no reason to enable this option if you are fully operating your guest on a 64-Bit operating system.

VM Advanced Setup Part 2

Also make sure to disable Paravirtualization, as this enables your VM to know of its presence and communicate with other VMs - we do no want that (more weak points). Further, disable any visual acceleration (e.g. 3D-acceleration). The last two screenshots in "VM Advanced Setup Part 2" show how your storage should be structured (1 disk and 1 DVD space, for the .iso). Finally, it is essential to cap any connectivity to your host system. Therefore change the default "NAT" setting in the "Network" section to internal.

Now your VM is ready to be hardened!

Harden the VM

Copy the Binary into C:\ and rename it. Next edit lines in hidevm_ahci

Before starting the VBoxHardenedLoader script we need to set it up on our host environment (we still have not started the VM yet!). First, go to the downloaded folder and copy the "Binary" folder into your C:\ directory or any other directory. In this tutorial, we copied it to C:\ and renamed the folder to "VBoxHardener". Next go to "C:\VBoxHardener\data\" and edit the hidevm_ahci file. Though be careful, if your guest VM does not use classic bios and uses EFI instead, make sure to pick the right script. Thus, here a short "what to choose, if" from the tool's developer:

  • hidevm_ahci is for VM with SATA/AHCI controller and classical BIOS
  • hidevm_ide is for VM with IDE controller and classical BIOS
  • hidevm_efiahci is for VM with SATA/AHCI controller and EFI
  • hidevm_efiide is for VM with IDE controller and EFI

After you know which script is for you, edit it with notepad and change the following two variables:

  • set vboxman="C:\Program Files\Oracle\VirtualBox\vboxmanage.exe"
  • set vmscfgdir=C:\VBoxHardener\data\

Notice the "\" at the end of "data"! Set the first variable to your VirtualBox path (where the vboxmanage program is located) and the second to your previous VBoxHardener\data\ path.

Now open cmd as administrator and start your script, in our case hidevm_ahci.cmd with the name of your VM:

C:\VBoxHardener\data>hidevm_ahci.cmd win7

This script will utilize now the vboxmanage function of VirtualBox to further configure your VM. It will set specifications like your BIOS Version/Name to more realistic names (removing the default VBOX names).

Next go one directory up and start the install.cmd:

C:\VBoxHardener\data>cd ..
C:\VBoxHardener>install.cmd

This will run two different scripts now. The first is tsugumi.sys, which unloads the default drivers of VirtualBox and reloads preconfigured drivers that do not have any "VBOX" or "VB" in their name. Next, the loader.exe is run which is a service that ensures all registry and table entries match the new driver during runtime. Thus, always make sure to shut down your VM if you simply put it to sleep, make sure you shutdown the loader.exe with:

 C:\VBoxHardener>loader.exe /s

This prevents it from getting stuck (if this happens, you need to reinstall all files related to the GitHub repository and your VM). Otherwise, you will keep on getting an error while trying to boot up your VM.

Finally, if you have completed all above steps you are now ready to start your VM and install Windows 7. After the installation boot up Pafish (either download it or you already have it in your .iso as we did). Pafish will now go through generic checks like RAM, disk size, CPU cores but also VirtualBox specific checks like Registry keys containing "VBOX". After running it you should have no more than 3 "traces":

  • The first two should be the classic timestamp counter (rdtsc), which needs to be fixed by VirtualBox
  • And getTickCount(), as our VM is fresh and it needs some runtime
This is how your Pafish result should look like


Sandboxing on Ubuntu

If you have a Ubuntu host OS and would like to start analyzing malware on your machine, you are at the right place! The tool we are going to use for hardening the VM on Ubuntu is a bit different than the one running on Windows host (it is better). Essentially, the tool (python script) creates two different scripts:

  • One to harden your VM's configuration (just like the Windows tool does too)
  • The other for to be run inside the VM

Now the great benefit of the second script is it automatically generates random files in the usual directories (e.g. \Documents, \Downloads) and mimicks a real host. The file names are taken from a computer.lst and user.lst file (which you have to create).

Enough of the theory, let's get to work!

Dependencies

Before you start running the script make sure to sudo apt install the following:

  • python3-pip
  • libcdio-utils
  • acpica-tools
  • mesa-utils

After installing all of the above, cd into the tool folder :

cd antivmdetection-master

And install the rest of the dependencies from the requirements file:

pip3 install -r requirements.txt

Then make sure to wget two more tools needed on the VM:


Harden the VM

Proceed only if you have successfully completed the steps above. Then create your "computer.lst" and "user.lst" files by echoing your names into it:

~/Documents/antivmdetection-master$ echo "some-computername" > computer.lst
~/Documents/antivmdetection-master$ echo "some-username" > user.lst

Echo as many different computer and usernames as you want. The script will create the random files depending on the names you have in those two files.

Sandboxing on Ubuntu: Storage structure

Next, make sure you create your VM with the same configuration as in the Windows guide above (Basic & Advanced VM setup). Again, here are the essential points to change:

  • No VirtualBox Guest Additions!
  • CPU: min. 2 cores and IO/APIC enabled
  • Paravirtualization disabled
  • RAM min. 2GB
  • HDD min. 60GB
  • GPU: disable 2D or 3D acceleration
  • NIC: make it to either internal or host-only, but never NAT or bridged!

In addition, change your storage structure to resemble the screenshot on the right, because the .py script expects it to be this way!

Before you start the VM, start the antivmdetection.py:

~/Documents/antivmdetection-master$ python3 antivmdetection.py

This creates now the two scripts:

  • <DmiSystemProduct>.sh (to be used on your host)
  • <DmiSystemProduct>.ps1 (to be used inside your windows VM)

Start the <DmiSystemProduct>.sh by first making it executable and then run it:

~/Documents/antivmdetection-master$ sudo chmod a+x <DmiSystemProduct>.sh
~/Documents/antivmdetection-master$ /bin/bash <DmiSystemProduct>.sh your-virtual-machine-name

If you have an ASUS mainboard you will most likely run into an error. Through the research on the Internet I found the following fix:

  • The errors result because of Integer values in
    • DmiBIOSVersion
    • DmiBoardAssetTag
    • DmiBoardLocInChass

Thus, editing these lines inside the .sh script and changing the Integer values to Strings resolves the issue.

Now your VM configuration should be hardened and you can start installing windows! Our recommendation is, again like in the Windows guide, create your own .iso with the following files inside it:

  • computer.lst and user.lst
  • <DmiSystemProduct>.ps1
  • Pafish
  • FakeNet

Otherwise, you will either have to create an Internet connection to download these or create your own ftp access to your ubuntu machine over windows.

After you have installed windows make sure to have the .ps1 script, computer.lst and user.lst inside the \Downloads directory. Then run the script through powershell:

C:\Users\<yourUsername>\Downloads> .\<DmiSystemProduct>.ps1

This will now take a while and prompt you to reboot in the end. After rebooting the VM make sure to run the .ps1 script again!

Finally, after completing all the above steps, you can run Pafish and you should see the same result as during the Windows guide.

References