A guide to build a safe environment for your test
So you want to start malware analysis right ?
Well if you want to conduct your test you need a safe place to run your sample.
In this story I will show you step by step how you can build a lab for your testing.
Let’s start!
Note: I’m not assuming any responsibility if your computer will be infected or any other action that you will do with the samples.
1) Install VirtualBox
When you conduct malware analysis you will not run any malware on your main OS, so you need to install a software that can virtualize an operating system so that any of your sensitive data will be compromised.
I use VirtualBox, but you can use VMWare if you want, here you can find the link to download them.
Downloads — Oracle VM VirtualBox
Download VMware Workstation Player | VMware | IT
Note: In this tutorial I will use VirtualBox but VMware is not so much different, so you shouldn’t have any problem.
2) Install the vulnerable OS
Now that you have installed your virtualization software you need to install a VM to run the malware and install all the tools that you need.
I will install a Windows 7 32 bit machine.
Note: You should install a 32 bit operating system beacuse x64 based operating system have a protection called driver signature enforcement that 32 bit operating system don’t have. What is Windows driver signature enforcement? — Quora
Here is the link to download the ISO file.
Note: The download could be very slow so be patient.
Now open VirtualBox click new.
Select Windows 7 32 bit and give a name to your VM.
Then select the amount of RAM that you want to give to it.
I suggest you to give 2500 MB of RAM.
For the next ones just leave that with the default settings.
Now choose the amount of memory (ROM) that you want to give to the VM.
I suggest you 40 GB of memory.
Perfect! You have created your virtual machine.
When you start it for the first time it will ask you to choose the ISO file for the VM.
Then the machine should start, and you have just to install that.
3) Network settings
Perfect Windows is installed now it’s time to configure the networking settings for the machine.
So if the malware can access to your network it could infect the other system in it.
When you want the machine has internet connection select NAT.
If you don’t know what NAT this link can help you.
Note: Use NAT only if you for example want to install software or files, when you run malwares NEVER use NAT.
At the end of this story I will give you all the link for the tools that you need to install so before continue install all of them.
We want that our machine is completely isolated from the host, so we need to select Host only network.
Use this when you run malware.
Note: I suggest you host only network because it allows you to configure VM to communicate with each other but in this story this will not be treated.
4) Install a Linux VM
Windows has great tool, but Linux has them too, so why not use both ?
I suggest you to install REmnux, a Linux Operating system with many reverse engineering tools that will help you when you will analyse malware.
Lucky for us, we can download the OVA file of REmunx, so the installation will be very easy.
Note: An OVA file is an Open Virtualization Appliance that contains a compressed, “installable” version of a virtual machine. So we just import the machine, easy right ?
Download Remnux
Get the Virtual Appliance — REMnux Documentation
After you have downloaded the OVA file go to VirtualBox.
At the top right click file.
Then click import.
After that you can choose the settings of the virtual machine as we have done before.
Perfect!
If you haven’t used Linux before I found this amazing site with a lot of content.
UNIX / Linux Tutorial for Beginners: Learn Online in 7 days (guru99.com)
Note: The network settings are the same of the Windows 7 VM.
5) Take a snapshot of your virtual machine
A great thing of that we can do is take a snapshot of our VM.
But what is a snapshot exactly?
Snapshot is a function that save your VM in the current status so when you have finished your work you cannot leave your machine infected, so you can revert back the machine at the status that it was saved.
The process is very simple, click the navbar menu, and you should see these 3 settings.
Click snapshots.
Then click create.
And give a name to your snapshot.
When you want to revert the machine to the old status click this button.
Tools
Pestudio: A great tool to analyse executable files.
Hxd: Hexadecimal editor
Autoruns: This tool will help you to identify backdoor.
BinText: Text extractor tool.
Fakenet: This tool simulates a fake network and intercept malware request.
Malzilla: Javascript malware analysis tool.
Procmon: This tool can be used to see what processes start when the malware is been executed.
Wireshark: Network analysis tool
Notepad++: Advanced text editor
Procdot: One of the best tools in my opinion, this tool will create a graphical schema of the behaviour of a given file.
Process hacker: A process monitor with more features.
HashMyFiles: Hash file calculator.
Ollydbg: Debugger.
Regshot: This tool will help you when Windows registries change during the execution of a file.
DriverView: Driver monitor tool.
Note: These are just the essential tools there are many others that are very useful but if you have just started your journey learn before how to use these and then install the others.
Books
- Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware
- Practical Malware Analysis
- Malware Analysis and Detection Engineering: A Comprehensive Approach to Detect and Analyze Modern Malware
- Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
- The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
- Windows Malware Analysis Essentials
- The Rootkit Arsenal
- Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats
- Practical Reverse Engineering
- Reversing secrets of reverse engineering
