Reverse Engineering (RE) malware requires a special lab to ensure your production environment doesn’t get infected. This can be accomplished by having dedicated computers on an air gapped network, or more commonly through the use of virtual machines (VM’s). We will discuss how to setup a dedicated malware analysis lab using virtual machines and all free tools.
How Many VM’s Do You Need
The first question is how many VMs are required to properly analyze malware. If you are solely doing static analysis, a single VM is all you need. But this is a rare situation. More commonly you will be performing a mixture of static and dynamic analysis.
For dynamic analysis, you need one environment to execute the malware with tools to observe all of the changes made to the host system and tools to simulate the Command and Control (C2) server. Both sets of tools can reside within a single VM, or on multiple VM’s.
The easiest setup is to use 2 virtual machines. One windows host to run the malware and observe all of the system changes made in real time and one VM to act as the C2 server where you can observe all of the network communications.
The reason two machines are easiest is for two reasons. First, it is best to have the minimum number of reverse engineering tools on the host where the malware is running. Some malware will have anti-sandbox protections and look for common files, processes, and other artifacts indicating the malware is on an analysis host. You will not be able to avoid putting any tools on the analysis machine, but you can minimize it. By having a second VM to act as the C2 server, you can place all of the networking and C2 simulator tools on the second machine where they can not be found by the malware.
The second reason is there are pre-built VMs that can act as the C2 server which already include several useful tools. Using these pre-built VM’s saves considerable time in building and configuring your analysis machines.
This guide will use the 2 VM solution.
Where To Get A Free Windows VM
Most malware is built for windows, so you will need a windows VM to dynamically execute the malware on. Luckily, we do not need to spend hundreds of dollars for a windows license. Microsoft provides a number of windows VM images so you can test different versions of Internet Explorer and Edge. We can download one of these VM’s to use for our analysis lab directly from Microsoft.
Which VM To Choose
There are several VM’s you can choose ranging from windows 7 to windows 10. All of the VM’s are 32 bits except for the windows 10, which is a 64 bit machine. Normally windows 7 would be a preferable choice to windows 10 for a malware analysis machine, but not in this case. Some of the most important RE tools require a 64 bit OS and the only 64 bit VM Microsoft offers is windows 10. For that reason, it is strongly recommended you download the windows 10 machine.
VM Activation
The free windows test VMs do come with a catch though. They will expire 90 days once you activate them. The power of a VM snapshot means this isn’t a problem for us. The VM’s only activate by connecting to the internet. For optimal use, simply download and install the VM without enabling an external network connection. Download all of the RE tools onto your host machine and copy them into the VM. Once it’s configured the way you want it, take a snapshot. Having a snapshot prior to activating the VM means you can always revert your VM back to this snapshot, activate the VM, and then get a new 90 days of use. In essence, you have an unlimited license using this methodology.
Note that once you activate the VM, taking another snapshot will not allow you to roll back the clock. If you take a snapshot on day of of activation and then revert to the snapshot after 60 days, you will still only have 30 days left for the VM, not 89. As long as your VM snapshot is prior to activation, you will get a new 90 period by reverting the snapshot.
Microsoft puts the instructions of how to force the activation on the VM desktop. When you are ready to activate the VM, simply follow these steps.
- Add a network connection to the VM capable of accessing the Internet
- Open a command prompt as an administrator
- Run the command slmgr /ato from the command prompt
- Wait a few moments until you get a message saying the VM is activated
- If you want to see how much remaining time you have at any point, run slmgr /dlv from an elevated command prompt and review the “Time remaining” line
Now that the VM is activated, you will have 90 days of use from this point.
If you do not activate the VM at all, the VM will be perfectly usable but will shutdown every 60 minutes.
Once you have activated the VM, remove the external network connection so that malware can not escape outside of your lab environment.
Useful VM Configurations For Your Windows Machine
Now that you have a windows VM, there are a few convenience settings you will want to apply.
- Minimize AntiVirus – you can turn AV off, but it will automatically come back on after each reboot. An easier option is to add “C:\” to the Exclusions list. This will prevent the AV program from scanning anything in the entire C:\ which effectively turns off the program.
- Turn off the windows firewall
- Change the default password to something you will remember
- If you are using VirtualBox, having an account password is necessary to use the File Manager process to transfer files between the guest and host VM. VirtualBox drag and drop seems fairly buggy and it’s also safer not to have drag and drop enabled in a VM where you will be running malware. Using the File Manager to transfer files between the guest and host is preferable because you can close the session down as soon as the files are transferred.
- Add a private IP address, default gateway, and DNS server
- Configure both the default gateway and DNS server to be your second VM which will act as your C2 server
- In the user account control settings, change the setting to the lowest setting, “Never Notify”
- In the power and sleep settings, set the VM to never sleep
- Make sure the screen saver is turned off
- From the add / remove programs, remove OneDrive (this will prevent receiving annoying message prompts about not being able to connect to OneDrive)
- Disable automatic windows update service (note: it has been reported this can get automatically turned back on after some time, but the details are unknown)
- Open a command prompt as an administrator and run the following commands:
- sc.exe config wuauserv start= disabled
- sc.exe stop wuauserv
- Open a command prompt as an administrator and run the following commands:
Free Reverse Engineering Tools To Install On Windows
Now that we have configured all of the basic OS settings, the next step is to download and install free reverse engineering tools. There are literally hundreds of tools to choose from. Many of the common tools are older tools which are not being developed anymore. Some are newer tools with constant updates. Reverse Engineering tools are often made open source by members of the RE community. As such, the tools don’t necessarily have an unlimited shelf life. For that reason, we will list the general category of tools you should install with one or two common options. You are encouraged to investigate different options to see what you like best.
- Disassembler
- Debugger
- .NET Disassembler / Debugger
- Scripting language
- Hex Editor
- Environmental Monitoring Tools
- SysInternals Suite. Download the entire suite, but most used options are
- Procmon
- Process Explorer
- AutoRuns
- Sigcheck
- Process Hacker (a more powerful alternative to SysInternals process explorer)
- Regshot
- SysInternals Suite. Download the entire suite, but most used options are
- PE Editor
- PE-bear
- While there are several available options, this is one of the few free tools that will parse both 32 and 64 bit files
- PE-bear
- PE Identification Tools
- Resource Editor
- Miscellaneous Tools
- Networking Tools
- N/A, these will all be installed on the 2nd virtual machine
Obtaining A C2 Server VM
The last, and easiest, step is to create our second VM which will act as the C2 server. This VM will have all of the networking tools installed. For this step, it is recommended to use a defacto standard VM called REMnux. It can be found here.
REMnux is a linux VM created and maintained by Lenny Zeltser. It comes loaded with dozens of reverse engineering tools which can aid in analyzing malicious office documents, obfuscated scripts, and more. For our purposes, there are a few main tools which make it ideal.
First is InetSims. This is a lightweight program which will emulate common services that a C2 server may implement. Most notably is the HTTP / HTTPS. This service will respond with a fake response to any HTTP request that is sent to the REMnux machine. It is very useful for acting as a C2 server because it allows a beaconing malware to receive a legitimate response which may let the malware continue so that you can uncover additional Indicators of Compromise (IOC). Without the HTTP service, if the malware sends a network beacon to the C2 server and doesn’t receive a response, it may go into wait mode until it thinks the C2 server is back online. As a malware reverse engineer, you want to exercise as much of the malware’s capabilities as possible.
The next tool is a tiny script, slightly modified, called fakedns.py. This script will respond to any DNS request with the IP of the REMnux machine. That allows all of the malware’s requests to be routed directly to the REMnux machine and be handled by InetSim. InetSim also contains a fake DNS service. We choose to use fakedns instead though so that we can run our DNS service independently of our HTTP service. We always want the DNS service to be running. There isn’t any real situation where you would turn this off. But there are situations where you may not want the HTTP service to be running. By using two different applications, each service can be independently turned on and off with ease.
After that we need a network monitoring tool. Wireshark is the most common network monitoring tool and will let you see, and save, all of the network traffic. This is invaluable for creating network signatures such as SNORT signatures.
The next helpful tools we commonly use are python and PyCryptoDome. For more complicated analysis, the fake HTTP server of InetSim probably isn’t enough. For a deeper understanding, you will need to build a custom C2 server. This is done the most easily in python. The network protocol used with the C2 server often includes some type of cryptographic routines. That’s where having PyCryptoDome already installed along with python is ideal. You can access dozens of cryptographic algorithms without needing to install any additional modules such as RSA, AES, RC4, etc.
Remnux has both Python 2.x and 3.x versions installed by default. You can access Python 2.x by using the python keyword, or Python 3.x by using the python3 keyword. Python 2 is at end of life and it is recommended to use the python 3 versions. If you need a more current version of python, you can always manually install the latest version of Python and PyCryptoDome. Fortunately, simulating C2 servers is relatively simple programming and the default python 3 version is adequate for most situations.
The last useful application we use is openssl. This is used more infrequently, but can be very handy if you need to generate fake certificates or RSA keys, etc.
All of the tools mentioned are in the default path of REMnux. You don’t need to remember the file location or figure out where they are stored in the program folder. All you need to do is open a shell prompt and type out the name to start the application, e.g. inetsim, fakedns, wireshark, python3 etc.
Conclusion
If you’ve followed the steps up to now, you have two VM’s installed and networked together. The windows host has the bulk of your reverse engineering tools installed and is where you will run your malware. The second is a linux VM, which will act as your DNS server, default gateway, and C2 server. With your environment configured the way you want it, take a snapshot to make sure you can revert back to this clean state at the start of your analysis for each piece of malware.
All you have to do now is to start analyzing malicious files.