Open in app

Sign in

Write

Sign in

Malware Analysis Series 0x3

Mahmoud Elfawair
5 min readMar 14, 2024

--

Hello You.

Today I’m going to talk about malware analysis in virtual machines, and how can we execute a malware in a safe environment, without affecting our host machine (hopefully)

Fresh malware can be full of surprises, that’s why before any dynamic analysis we must set up a safe environment

Some malware analysts use a physical machine to analyse a malware and they put it in something called air-grapped network which is an isolated network with machines that are also disconnected from the internet or any other networks to prevent the malware from spreading.

But there’re some disadvantages of this technique which are:

  1. You won’t have access to the internet and some malware needs access to the C2 server or another server to get updates.
  2. It is difficult to remove the malware, but some malware anlysts use Norton Ghost to manage backup images of their OS.

The main advantage of running the malware on a physical machine is that the malware may execute differently on a virtual machine, that’s because some malware has some capabilities to detect if it is ran on a virtual machine or on a normal one. (malware authors are getting smarter and smarter)

Virtual machine

We are not going to use this approach and we’ll use a virtual machine, let’s me explain how it works, You have your main computer, which is called the host machine, and then you have a virtual machine inside it. This virtual machine has its own operating system, which we call the guest OS.

If the malware damages the Guest OS we can simply restore the VM to a clean state using something called Snapshotting which will allow us go back in time and revert the Clean state, I wish we could do this in real life; I would have said something else to her. However, it is a super interesting feature that exists in most tools that allows us to create a virtual machine like VMware, Virtual Box, etc...

Note: obviously we will use a windows OS, the author talked about Windows XP which is wired but he explained that it is the most popular OS and the traget for most malware :p

Networking in the VM

Regarding the network setup for the VM, we have multiple options like using the host-only networking or NAT or attach it to nothing if we want the VM to not be connected to the Internet while analyzing the malware.

For example in Virtual Box we can go to our malware analysis VM and from Network > Attached to and then choose the network adapter we want to choose.

So what are the differences between Host-only networking, NAT, bridging, and not attaching it to anything?

  1. Host-only networking creates a separate private LAN between the host OSand the guest OS and it’s commonly used for malware analysis.
  2. NAT will make the host OS to act as a router and translate all requests from the VM so that they come from the host's IP address.
  3. Bridge network adapter allows the virtual machine to be connected to the same network interface as the physical machine.
  4. Having no adapter or attaching it to nothing means that there will be not network connection to anything, which is you may need to do that sometimes.

Snapshot

Let’s talk more about snapshotting and how we will make use of it, you are going to create a snapshot of your virtual machine whatever software you are using, but in Virtual Box we do it this way:

by clicking on Take you will take a snapshot as simple as that, but make sure that you have installed the necessary tools and you have done proper configuration, in the future we will download new tools and we will have to take another snapshot for that and you may delete the previous snapshot if you wish.

now let’s say you have took the snapshot at 8:00 , shortly after than, you run the malware sample, at 10:00 you revert to the snapshot. The OS, Software, and other applications will return to the same state they were in at 8:00, and everything that happened between 8:00 and 10:00 is erased as it never happened.

Transfering files from a VM

There is a feature of drag-and-drop in both VMware and Virtual Box

I sat the shared clipboard and drag'n'drop to bidirectional , if you aren’t isolating the machine you can use python http.server by doing this

python -m http.server

Doing so will open port 8000 on the machine, and you can access the directory from which you executed this command from your own machine.

The risk of using VM for malware analysis

As I said before some malware can detect when it is running within a virtual machine, and many techniques have been published to detect such a situation. And like all software, VMware and Virtal Box occasionally have some vulnerabilities that can be exploited. So you should avoid performing malware analysis on any critical or sensitive machine.

And yeah that’s it for today thanks for reading :3

Malware
Virtual Machine

--

--

Mahmoud Elfawair
Mahmoud Elfawair

Written by Mahmoud Elfawair

33 Followers
14 Following

reverse engineering and linux enthusiast

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams