1. 2. Preparing the Lab Malware Analysis

2. Need for a Safe Lab Environment • Isolated environment helps prevent infection of systems • The malware under analysis can have unpredictable behavior • Required for both static and dynamic analysis • Two typical lab environments are • Use of physical machines with airgapped network • Use of virtual machines

3. Using Physical Machines • Advantages • Run on the actual systems the malware was designed to execute on • This can limit anti-analysis behavior • Isolate physical machines by using airgappednetworks • Machines are isolated from the internet and other computers that are connected to networks • Avoids malware’s use of anti-analysis techniques • Disadvantages • Once a system is infected, it can be difficult and/or time consuming to remove the infection • Requires more hardware and dedicated network setup

4. Using Virtualization • Virtual machines (VM) allow a host operating system (OS) to run multiple instances of a guest OS • This can be thought of as a computer running within another computer • Virtual machines can be isolated from the host OS • This allows for safe and convenient malware analysis • However, there have been instances where guest-to-host vulnerabilities exist

5. Virtual Machines • Advantages • Allow for the creation and usage of multiple OSes within a single host • Ability to create snapshots of the guest OS – this allows for rapid restoration of a previous state Disadvantages • Misconfiguration can allow malware to infect the host or other systems on the network • Taxing on hardware and requires adequate host system performance • Vulnerabilities have been known that allows for guest-to-host escape

6. Virtualization Software • VirtualBox • Maintained by Oracle • Released under GPL version 2 – there is no license cost • Provides the ability to snapshot VMs • Available at: www.virtualbox.org/wiki/Downloads

7. Virtualization Software • VMWare • Offers multiple products • Workstation Player • Free for non-commercial use • There are limitations – such as the inability to create snapshots • Workstation Pro • Supports *nix and Windows • Requires a license • Fusion • Available for Mac OS X – requires a license

8. Networking a VM • Several networking options available to VM • Typically consist of the following options: • Network adapter is not connected • NAT • Bridged • Host-only

9. Networking a VM – Configuration Options • Host-only • Private LAN between guest and host OS • Allows malware some networking capability but doesn’t allow access to other systems on the host OS’s network or the internet • Virtual network adapters are created between the host and guest, physical network is not utilized

10. Networking a VM – Configuration Options • NAT • Virtual DHCP server is created and assigns IP addresses on private network • VM is allowed network access through the host OS – both systems share a singular identify outside the private LAN • Bridged • Connects the VM directly to the network using the host network adapter

11. Snapshots • Provide a convenient way to save the state of a virtual machine • Ideal setup is to install OS, configure all tools and the network – then take a snapshot • This can become your baseline, clean snap shot • Next, execute the malware you want to analyze • Rollback to clean-state snapshot when done and now you’re ready to repeat