A good way to understand how malicious software works is to drop the malware in a controlled environment, a vulnerability or malware test lab that you can infect to observe and analyze how the malware behaves on the system without affecting your production system.
Although you can use old PCs and hardware to create a lab environment, the better and more flexible way is to use virtualization software which allows you to use one PC to run multiple operating systems. Another advantage of virtualization is that you can instantly take snapshots of the machine’s state and revert back easily which is useful when you want to infect a machine and restore it to pristine condition after the malware is analyzed.
There are several options for virtualization software, the most popular are:
- VMWare’s Workstation/Player /vSphere Hypervisor (ESXi)
- Oracle’s Virtualbox
- Window’s HyperV Server
If you are going to run your virtualized lab as a server (Type-I bare metal hypervisor) I suggest vSphere Hypervsior. If you are going to run it on your PC along side your operating system (Type-II hosted hypervisor) I suggest Virtualbox. In this tutorial I used Virtualbox to setup the lab.
The machine you use to host your hypervisor should have plenty of RAM, at least 4GB – 8GB and lot of hard drive space to store all of the VMs. The PC I used in this lab has the following specifications:
- Intel Xenon E5-1603 @ 2.80GHz
- 16GB RAM
- 1TB Hard Drive
Setup Virtualization Lab
Now that you have your virtualization software of choice installed and running on your host, you must setup your virtual machines for your lab. It’s a good idea to have several VM’s running a many different versions of operating systems such as Windows Sever 2012, Server 2008, Windows 10, 8.1, 7 and maybe even XP. It also wouldn’t hurt to have VM’s with Linux distros or even OSX to test vulnerabilities on those operating systems. My lab for this tutorial consists of Windows 7, Windows 10, Server 2012 and Ubuntu.
Once you have the discs or .ISO files for your operating systems, refer to your virtualization software’s manual for specifics on how to install the virtual machine. Below is an example of how I created a Windows 7 VM in Virtualbox.
- Open Virtualbox and click on New in the upper left corner. A window pops up and enter a name for your VM. I just named mines “Windows 7”. Click Next.
2. Select the amount of memory to allocate to the VM. Windows 7 needs at least 1-2GB. I allocated 4GB to my VM. Click Next.
3. For the hard disk, select “Create a virtual hard disk now”. I selected VDI as hard disk file type. VDI is the file type of VM hard disk used by virtualbox. VMDK is the file type used by VMware and VHD is the file type used by Microsoft. You can create your disk to be those file types if you want the disk to be compatible their virtualization software. After you click next, it asks you if you want the virtual hard disk to grow dynamically or be a fixed size. Dynamic storage means it will only use space on your physical HDD as the virtual hard disk grows fixed means it will already reserve the space on your physical HDD. I selected dynamic. Lastly it asks you for the location you want to store the virtual hard disk and the size of it. I chose default location and sized it to 25GB. Click Create. Your virtual machine is now created.
4. Now that the VM is created, you need to have it boot into the OS installation to install it on the VM’s virtual hard disk. Right click your newly created VM > Select Settings. A window should pop up and in the left pane select storage. Under the Controller select “Empty”, which should be a disc icon, this means its a virtual optical drive. On the right side of the window under attributes, there should be another disc icon, click it. If you have a physical disc with the operating system, insert the disc into your host machine and click on “Host Drive. If you have an ISO file click on “Choose Virtual Optical Disk File”. I have an ISO of Windows 7 so I selected the latter.
5. Now you can start your VM. A new window should pop up, this is the console for your VM. The VM should automatically boot into the OS installation. Just install your OS like normal and once it is installed.
Isolate Lab Network from Production Network
It is a good idea to isolate your lab network to mitigate the risk of any malicious software escaping into your production network. An easy way of doing this is setting up your virtual network as host only. Host only networking allows your guest VMs to see and communicate with each other and your host can see these guests too but any other physical machine on your physical network cannot see the VMs.
To setup Host-only networking in Virtualbox:
- Right click on your virtual machine, in my case “Windows 7” VM, and click on settings
- In the right panel click on “Network”. Click on the “Adapter 1” tab and on “attached to” select “Host-only Adapter”
For added protection you can also configure a network firewall that will filter connections to and from your host machine. Also be sure to keep up with the latest patches for your hypervisor as any vulnerabilities that may allow malware from escaping the VM to infect your host maybe fixed in these patches.
Malware Analysis Tools
Before you start infecting your virtual lab with malware, it is a good idea to install some malware analysis and monitoring tools in order to observe how the malware affects the system. Malware analysis tools can be separated into two categories: Behavioral analysis and code analysis.
- File System Monitoring: Process Monitor or ProcDOT
- Process Monitoring: Process Explorer or Process Hacker
- Network Monitoring: Wireshark or tcpdump or Microsoft Message Analyzer
- Registry Change Comparison: regshot or Registry Workshop
- Disassembler and debugger: OllyDbg or IDA Pro Freeware or WinDbg
- Memory dumper: Scylla and OllyDumpEx
Lastly there are several free online analysis tools in which you can upload the malware to the website and it will analyze it:
Now that you have your lab setup you can begin to drop in malware into the lab and analyze its affects on the system.
“Building an InfoSec lab, on the cheap“. Irongeek.com. Retrieved from http://www.irongeek.com/i.php?page=security/building-an-infosec-lab-on-the-cheap
Ckirsch. (2013 Mar. 5). “How To Set Up A Penetration Testing Lab“. Message posted to https://community.rapid7.com/docs/DOC-2196
Zeltser, Lenny. (2015 Mar. 15). “5 Steps to Building a Malware Analysis Toolkit Using Free Tools“. Lenny Zeltser (Weblog). https://zeltser.com/build-malware-analysis-toolkit/