VirtualBox: How to Setup your Malware Analysis

From Embedded Lab Vienna for IoT & Security
Revision as of 20:49, 5 December 2019 by Carseven (talk | contribs)
Jump to navigation Jump to search

Summary

This documentation will provide you with a step-by-step guide to creating a virtual machine over VirtualBox. Though, we will not create a generic VM! This VM will provide you with a completely non-detectable environment for Malware Analysis.

As advanced malware nowadays is able to detect its environment (e.g. scanning for RAM, CPU cores, disk space, registry keys and even drivers) they are now able to stop their execution if they detect a virtualized environment. Therefore it is critical to setup your malware analysis VM correctly.

In order to render your VM undetectable we have chosen two state-of-the-art tools on Github. One only supports Windows as its host OS and the other is relying on dependencies only available on Ubuntu. Though we will use Windows 7 on both as the host VM as it is the most popular for malware attacks.

How to read this documentation

As I wanted to keep everything neat and tidy, I opted to merge my screenshots into bigger screenshots. The screenshots are to be read from left to right and you will probably have to enlarge the picture in order to decipher all configuration options. In addition keep in my, the picture show all configurations that need to be tweaked. There will be some steps not documented, which means to keep the default configuration there.

Requirements

  • Host Operating System: Ubuntu 16/18.04 or Windows 7/10
  • Guest Operating System: Windows 7 Home Premium 64-Bit
  • Software: VirtualBox 6.0.14
  • Tools for VM-hardening: VBoxHardenedLoader (for Windows) and antivmdetection (for Ubuntu)
  • Tool to check hardened VM: Pafish
  • Tool to simulate network: FakeNet

Sandboxing on Windows

Before we start, make sure you have downloaded the following:

  • Windows.iso
  • VirtualBox
  • VBoxHardenedLoader
  • Pafish (recommended)
  • FakeNet (recommended)

Regarding Pafish and FakeNet we recommend you to download them beforehand and make your own windows.iso that includes both. This will enable you to just drag and drop both from the virtual Windows installation CD on your VM, without the need to have a functioning Internet connection and download them.

Installing VirtualBox

VirtualBox Setup and Home Screen

The first step is to install VirtualBox. During the setup, we have to prevent it from installing the network drivers as they provide a weak point malware likes to scan for. After, finish the setup with the remaining configurations on default.

Basic VM setup

Having installed VirtualBox you should see the home screen with a button to create a new virtual machine and settings.

VM Basic Setup

As seen in the screenshots above (goes from left to right) we have assigned our VM the name 'win7' and chose the default path to save it. Next, we again chose the default options (VDI, because we will only use this disk with VirtualBox). The critical configuration here is the allocated disk and RAM size. Most advanced malware and our checking tool (Pafish) scans if your disk has less than 60GB and 2GB of RAM. So we advise you to set the disk to at least 64GB (recommended is +80GB) and RAM at least 2GB.

Advanced VM setup

VM Advanced Setup Part 1

After finishing the basic setup VirtualBox will have created your VM and is able to start it. However, before you do, we still have to configure some more options. Thus, go to 'Settings' (for your VM, in our case it is 'win7'). Here, make sure to have the Drag'n'drop and Clipboard sharing disabled. If one of them is active it means that you have VirtualBox Guest Additions installed. This leaves you with many more vulnerabilities that advanced malware can scan for then with benefits.

Next up, make sure you have IO/APIC enabled and at least 2 CPU cores configured. Disabling IO/APIC prevents you from choosing more than 1 CPU core as it is the layer that allows your VM to send interrupts to more than one core. Most other tutorials say to enable PAE/NX. Though there is no reason to enable this option if you are fully operating your guest on a 64-Bit operating system.

VM Advanced Setup Part 2

Also make sure to disable Paravirtualization, as this enables your VM to know of its presence and communicate with other VMs - we do no want that (more weak points). Further, disable any visual acceleration (e.g. 3D-acceleration). The last two screenshots in "VM Advanced Setup Part 2" show how your storage should be structured (1 disk and 1 DVD space, for the .iso). Finally it is essential to cap any connectivity to your host system. Therefore change the default "NAT" setting in the "Network" section to internal.

Now your VM is ready to be hardened!

Starting VBoxHardenedLoader

Sandboxing on Ubuntu

Retrieved from "https://wiki.elvis.science/index.php?title=VirtualBox:_How_to_Setup_your_Malware_Analysis&oldid=2401"