Basic Malware Analysis can be done by anyone who knows how to use a computer. All you need is a little motivation, ambition, and a virtual machine to get things started. A virtual machine is used to simulate an ideal environment replica of the original environment to see how a malware sample interacts with everything from the file system to the registry. Malware testing can go a long way in protecting your network from the most dangerous of cyberattacks. The ability to simulate multiple instances of OS on the same machine and provide a real environment but in a much-protected manner makes virtualization an extremely powerful tool in behavior-based analysis. Here are some advantages of virtualization:
- Supports cross-platform analysis: Malware analysis often is conducted across a variety of systems to give tester an idea of how a specimen interacts with different OS platforms. Virtualization makes it possible to create several virtual systems such as Windows, Mac OS X, Linux, etc. This simply eliminates the need to buy and install bulky physical machines.
- Provides system protection: By conducting your testing activities inside a virtual machine, you can protect the rest of the system from being harmed.
- Easily creates ideal testing conditions: Virtualization is so flexible that it can be used to simulate an ideal testing environment for testing all sorts of applications. You can allocate all the virtual RAM storage and processing power that the testing environment requires.
In this article, we will cover the following topics:
- Prepping your VM for Malware Analysis
- Protecting Your Host from Malware
- How malware can differentiate between being run on real hardware vs being run inside a virtual machine?
- How some malware behave differently on real hardware compared to a virtual machine?
Let’s get started and discuss each of these topics in detail.
1. Prepping your VM for Malware Analysis
You don’t need to be a dedicated security expert to get started with the Malware analysis. All you need is a properly configured virtual machine that will help you play cyber CSI. The process of creating a virtual machine is similar for most of the Softwares. Here are some general steps that you can follow while setting up a virtual machine. Please note these don’t pertain to any single virtualization program.
- Create a virtual machine.
- Choose an OS type.
- Allocate RAM. Most virtual machine configurations recommend a minimum of 1024 MB.
- Create a virtual hard disk. We want to create a virtual machine that is as much similar to the physical machine as possible. So we will create a virtual hard disk that will allow malware access to files, folders, etc.
- Allocate storage. Most virtual machine monitor allows you to allocate storage space dynamically or by a fixed value.
- Install guest OS. Once the virtual machine is up, we need to install the virtual operating system to get the virtual machine running.
- Snapshot your VM. The Snapshot feature in the virtual machine is similar to the Restore Point feature in Windows. This feature allows preserving the state of the guest OS to a specific point in time that can be restored on demand.
2. Protecting Your Host from Malware
There was a time when virtual machines were considered a safer way to conduct malware analysis. As it protects the host physically installed on the underlying hardware as it is separated from the virtual system. The Venom bug found in Xen, my dear VirtualBox, and KVM proved that malware could escape a virtual environment. Here are some ways to protect your host:
- You need to swap files between both systems via a shared folder, you can set the permissions on that folder to read-only. This will prevent the VM from making changes to the host.
- Install an Anti-Virus Software.
- Majority of the Virus protection Softwares protect against spyware, Windows Defender should be used for additional protection on Windows machine.
- Keep your Operating system up-to-date.
- Limit Access to the Host (firewall off).
3. How malware can differentiate between being run on real hardware vs being run inside a virtual machine?
Virtual machines are designed to mimic the physical machine in all the aspects, whether it is RAM allocation or storage Allocation. The goal of virtual machine software is to provide a platform that can facilitate the execution of multiple operating systems concurrently, both efficiently and with an accepted level of isolation (as well as a required amount of sharing capabilities) rather than to provide an environment identical to bare-metal systems.
Some malware looks for specific differences that can be detected when they are on virtualized operating systems running inside virtual machine software. These differences are largely irrelevant but such differences do give malware the chance to determine if they are running inside a real or a virtual machine. Here are some differences between real machines and VMs malware typically look at to spot the difference.
- Most virtual machine software is much more convenient to work with when specific software known as guest additions from the virtual machine software suite is installed inside the VM. These guest additions are usually device drivers, services, system tray components, and so on. The presence of such guest additions is one of the easiest things for malware to do to detect a VM. They routinely conduct this practice to spot the difference.
- Communication from inside the VM to the host and vice versa, is done using things like shared memory or special instruction sequences, etc. Malware authors look at these components closely.
- Some malware look for signs of a system that is used by a normal user doing routine things as opposed to a clean system that is specifically designed and is used for a particular purpose, like malware analysis. Usually, malware analysis starts with a clean VM because of two reasons:
- Having a clean system does remove a lot of variabilities which makes the analysis process easier and more consistent.
- It is easy enough to get a clean VM going for each malware analysis session.
- It is highly unlikely for a malware analyst to keep using the VM instance he would use for analyzing a particular piece of malware for a period doing routine things like a typical end-user would do.
- Modern hardware can be quite complex, even the official device drivers these days don’t make use of all the features present in the actual hardware. In the case of emulated hardware inside Virtual Machines, the general approach is to emulate the hardware well enough to a point where operating system device drivers work fine with the emulated hardware. Emulated hardware will lack the features present in the real hardware that one can look for to spot if the hardware is real or emulated.
- It is an extremely difficult problem to eliminate or emulate around timing discrepancies. Even with the hardware-assisted virtualization technologies, some operations are much slower or behave differently inside a Virtual machine as opposed to Physical machine.
Malware authors detect such differences to make a judgment.
4. How some malware behave differently on real hardware compared to a virtual machine?
Some Malwares are very intelligent and nasty, after detecting that they are executing in a VM instead of a Physical machine with real hardware and real Softwares, they start to behave differently. In this section, we will discuss how some Malware behave differently in the VM as opposed to when running on real hardware.
- Refrain from injecting malicious code into system applications and processes: Malwares tend to inject malicious code into normal applications and processes in a system. For example:
- They may inject code which looks for private or proprietary data into the Windows Explorer process.
- They may inject a malicious “call home” code into major browser processes such as Internet Explorer, Firefox, or Chrome.
This type of code injection is meant to get around host-based security technologies that grant the ability to perform specific actions on the system only to a specific set of applications. It helps the malware to masquerades as the processes themselves and bypasses the limitations. When a malware is running inside a VM, it would refrain from injecting malicious code into system applications and processes as it normally would do to prevent analysts from catching it red-handed.
- Malware typically keeps its malicious code encrypted and/or highly obfuscated: When running inside a VM, the malware tries not to decrypt and expose its code so that an analyst is not able to examine it dynamically by looking at what the code does on the system or statically by disassembling and looking at the CPU instructions to see what it does.
- Contemporary malware tends not to connect to and not communicate with C&C servers and/or botnet infrastructure of the malware perpetrators: When running inside a real machine, the malware connects with the C&C servers and communicate with the C&C server and the botnet infrastructure. But in the case of VM, they avoid such connections and communications as the analyst can watch the network activity to detect, dissect, and analyze these communications.
Virtualization provides a convenient and time-saving mechanism for building a malware analysis environment. Be sure to establish the necessary controls and mechanisms to prevent malware from escaping your testing environment. With a fine-tuned lab, you will be well equipped towards making the most of your malware analysis skills.