Using VMware for malware analysis

Advantage of malware analysis with VMware
VMware allows for the simulation of multiple computers running simultaneously on a single physical system. There are several advantages to this approach for behavioral malware analysis, compared to a lab built using distinct physical infrastructure components:

• It's often beneficial to have several systems in the analysis lab, so that the malware can interact with components of the simulated Internet. With VMware, it's possible to build a multi-component laboratory without the hulk of multiple physical boxes.
• Being able to take a snapshot of the system's state before infecting it and taking periodic snapshots throughout the analysis saves time. This functionality provides an easy means of reverting to the desired system state almost instantaneously. VMware makes this simple with its integrated snapshot feature. VMware Workstation, a commercial product, allows multiple snapshots. VMware Server, which is a free product, supports only a single snapshot. VMware Player, also free, cannot take snapshots at all.
• VMware's host-only networking option is convenient for interconnecting virtual systems using a simulated network without additional hardware. This setup also makes it less likely that an analyst would be tempted to connect the laboratory environment to the production network. The host-only network allows any virtual system to see all traffic on the simulated network when listening in promiscuous mode. This makes monitoring the specimen's network interactions easy.

Getting started with VMware malware analysis
Preparing a VMware-based analysis laboratory is simple. You need a system with plenty of RAM and disk space that will act as the physical host. You also need the necessary software: VMware Workstation or Server, and the installation media for the OS you'll deploy in the lab.

Lenny Zeltser answers your questions Join us on Wednesday, May 30th at 12:00 ET, as Lenny Zeltser explains what else needs to be in your malware analysis toolkit. Pre-register for his live webcast now.

VMware emulates the computer's hardware, so you must install the OS into each virtual host created using VMware's new Virtual Machine Wizard. Once the OS is set up, install the VMware Tools package, which optimizes the system for operating within VMware. Then install the appropriate malware analysis software.

I recommend having virtual machines with different operating systems in the lab, each representing the OS that malware is likely to target. This enables observation of malicious programs in their native environments. If using VMware Workstation, take snapshots of the virtual system at different points during the security update installation process to analyze malware at the desired patch level.

Keeping production systems safe
When dealing with malware, take precautions not to infect production systems. Such breaches can happen when handling malware improperly or when a specimen exploits a weakness in the VMware setup and escapes its sandbox. There have been several publicly announced vulnerabilities in VMware that, in theory, could allow malicious code from the virtual system to find its way onto the physical host (pdf).

Here are some suggestions for mitigating these risks:

• Keep up with security patches from VMware.
• Dedicate the physical host to the VMware-based lab; don't use the system for other purposes.
• Do not connect the physical laboratory system to your production network.
• Monitor the physical host with host-based intrusion detection (IDS) software, such as a file-integrity checker.
• Periodically re-image the physical host using cloning software, such as Norton Ghost. If this option is too slow, look to hardware modules, such as Core Restore, for undoing changes to the system's state.

For more information on VMware Ed Skoudis examines how well VMware defends against malware. Mike Rothman reviews today's virtualization security challenges.

One of the challenges of using VMware for malware analysis is that malicious code can detect whether it is running within a virtual system, which indicates to the specimen that it is being analyzed. If you cannot modify the specimen's code to eliminate this functionality, you can reconfigure VMware to make it stealthier. Tom Liston and Ed Skoudis last year documented several VMware .vmx file settings you can insert to accomplish this. The biggest problem with these settings is that they may slow down the virtual system's performance. Also note that they're not supported by VMware.

Virtualization options and strategy
Of course, VMware is not the only option for virtualization software you can use for malware analysis. Common alternatives include Microsoft Virtual PC and Parallels Workstation.

Virtualization software provides a convenient and time-saving mechanism for building a malware analysis environment. Just be sure to establish the necessary controls to prevent malicious software from escaping your testing environment. With a fine-tuned lab, you will be well on your way toward making the most of your malware analysis skills.

About the author:
Lenny Zeltser is the information security practice leader at Gemini Systems LLC, a New York-based IT consulting firm. He is also an instructor at SANS Institute, where he teaches a course on reverse-engineering malware.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Network Security Tactics,   Application and Platform Security,   Virtualization Security Issues and Threats,   Malware, Viruses, Trojans and Spyware,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics Preventing SQL injection attacks: A network admin's perspective Screencast: How to launch an OpenVAS scan Wireless network guidelines for PCI DSS compliance Aligning network security with business priorities Scanning with N-Stalker offers basic Web application security assessment Lifecycle of a network security vulnerability Screencast: BackTrack 4 offers an arsenal of penetration testing tools Network access control technology: Over-hyped or underused? Screencast: Smoothwall offers firewall defense in lean times Screencast: Samurai offers pen-testing nirvana Virtualization Security Issues and Threats Cloud computing data security starts with internal strategy, experts say PCI virtualization SIG closer to proposing changes to standard Security challenges with cloud computing services Secure virtual desktop software enables remote client security Security threats to virtual environments less theoretical, more practical At VMworld 2009, companies focus on virtual desktops for security Security fundamentals remain focus of virtualization deployments How to implement virtual firewalls in a complex network infrastructure How to find virtual machines for greater virtualization compliance Quiz: Virtualization and compliance Malware, Viruses, Trojans and Spyware Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Breach forces payroll service provider PayChoice to shut down again RSA research underscores problem tracking cybercriminals Conficker analysis finds P2P coding limited, less sophisticated RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.