Building Ultimate Anonymous Malware Analysis and Reverse Engineering Machine
In this article, I'll show you my malware analysis environment and setup. I have to say that all software and configurations written in this article are totally my personal preference, this is my configuration and I like it, but please don't hesitate to share your ideas. So I'll start from very beginning: OS installation. For malware analysis, OS may vary, some malwares may only work on certain OS, so it's better to have several of them. Personally, I have XP SP3 with all updates that was available and Windows 7 x64.
Also definitely, no one would like to do malware analysis on their main OS, so I personally use Debian as my main OS, inside Debian, I installed VirtualBox and I use it as main software for virtualization. I highly recommend it.
1) Install VirtualBox in your main operating system. Create an empty folder called shared and share new folder you've created for guest OS.
2) Install a new fresh Windows version of your choice and update it. I usually update because sometimes I also do Windows patch analysis on these machines, so I need to have up-to-date patches to be able to do proper bindiffing.
3) Install VirtualBox guest addition.
4) Install and configure required softwares, here is my list:
- Go to Explorer -> Folder options -> Uncheck hide extensions for known file types, uncheck Hide protected operating system files and choose Show hidden files, folder and drives.
- Install Chrome (no one would like to work with IE) and instantly download and install AdBlock plus.
- Download and install Winrar/7Zip or both which I prefer both.
- Install Visual Studio 2008/2010/2012/2013. I personally install VS2008 and sometimes VS2010 too (together). But latest version of VS should work.
- Install latest version of Python 2.7. It just works fine and IDA Pro likes it. Then download and save this file and run python get-pip.py. Add C:\Python27 and C:\Python27\scripts to your PATH. Open new command prompt and run "pip install yara", "pip install pycrypto", "pip install winappdbg", "pip install pefile" and finally download and install jsunpack manually.
- Install Notepad++.
- Create a folder called Tools in C:\
- Download and extract RDG packer detector to C:\Tools\RDG. When you run it for first time, it tries to setup context menu which I choose yes. If you do so, you'll be able to right-click on binaries and let RDG scan it easily.
- Download and install CFF Explorer. Run CFF Explorer, go to Settings and click Enable shell extensions.
- Download and extract PeID to C:\Tools\PeID. Download userdb.txt and overwrite the one in PeID folder. Run PeID -> Options -> Hardcore Scan and check Register shell extensions.
- Download and install IDA of your choice (Pro or free).
- Download and install dotPeek.
- Download and install NASM (goto latest version folder and download zip inside win32) and MASM. Install NASM to C:\Nasm and install MASM to C:\Masm32, add both folder to PATH environment variable.
- Download and extract Ollydbg to C:\Tools\Olly. Use this as Ollydbg.ini which will have nice theme for you (provided by jacob@reddit.com in comments section of my blog, thanks jacob!). Then install plugins of your choice, here is list of Ollydbg plugins I use: Olly advanced, Olly breakpoint manager, OllyBonE, OllyDumpEx, OdbgScript, StrongOD, Ultra String Reference, CopyHexCode, Multiline Ultimate Assembler and ImportStudio. Then goto Options -> Just in time debugging and make Ollydbg just-in-time debugger.
- Download and extract ImpRec to C:\Tools\ImpRec.
- If you want to do binary diffing (malware versions diffing or windows patch analysis) like I do, you need to also install TurboDiff, Patchdiff, IDACompare and DarunGrim.
- Install hex editor of your choice, but I suggest HxD as best free and Hex workshop as best paid.
- Install windows SDK (if you need development) which also installs WinDBG.
- Install windows WDK (driver development kit) if you need.
- Download and put these files in C:\Tools folder: UPX, GMER, Process Explorer, Handle, DebugView, Autoruns, RKU, Kernel Detective, Malzilla, ExeInfo, PEStudio, Dependency Walker, XORSearch, SWFTools, Java Decompiler, PiD.
- Download and install WireShark.
- Save and run this REG file:
REGEDIT4
[HKEY_CLASSES_ROOT\*\shell\cmdhere]
@="Cmd&Here"
[HKEY_CLASSES_ROOT\*\shell\cmdhere\command]
@="cmd.exe /c start cmd.exe /k pushd \"%L\\..\""
[HKEY_CLASSES_ROOT\Folder\shell\cmdhere]
@="Cmd&Here"
[HKEY_CLASSES_ROOT\Folder\shell\cmdhere\command]
@="cmd.exe /c start cmd.exe /k pushd \"%L\""
- Create desktop shortcuts for the tools you just installed. Results:
5) Shutdown virtual machine.
6) During malware analysis and possibly checking C&C servers of malwares, no one likes to share their real IP with malware authors. Specially nowadays with IP-to-location databases, only your IP will be enough to giveaway your approximate location. So here is what you need to do:
- Download Whonix-Gateway. (you should get .ova file)
- Go to VirtualBox manager -> File -> Import Appliance (or CTRL + I), choose .ova file, set CPU and memory settings and run it.
- After initial/first run, it will take you through some steps, follow them, set tor to start at startup, run "sudo apt-get update ; sudo apt-get upgrade" and use default password which is "changeme".
- Let Whonix run, minimize it and return to main VirtualBox manager.
- As Whonix is running and your main Virtual machine is powered off, go to VirtualBox manager and open your virtual machine's (reverse engineering machine) settings. Go to network -> Choose internal network -> Choose Whonix in name and Press OK to save.
- Now run your virtual machine again. Go to network settings and set followings:
IP address => 10.152.152.50
Subnet => 255.255.192.0
Gateway => 10.152.152.10
DNS server => 10.152.152.10
- Allow it to configure itself and Voila!
Guess what? I'm thousands of miles away from Netherlands and I can't speak Dutch (shame on me).
From now on, all applications running inside virtualbox will use this IP. Also if you want to change your TOR IP and TOR identity, I have created a shell script in desktop which does it for you. Do "nano newip.sh" and paste following:
#!/bin/sh
tor-ctrl -a /var/run/tor/control.authcookie -P 9051 -c "signal newnym"
Save the file on your desktop and enable execute permission (chmod +x newip.sh), next time just double click on it and you'll have new identity.
7) Take snapshot with everything installed and configured, call it "Clean-Install". Now you can start analyzing all type of malware without worrying about your identity or damages malware may cause.
I think we've covered it all. Please let me know your suggestions in twitter/comment/email.
Comments
Howard Chu (not verified)
Sat, 10/18/2014 - 06:57
Permalink
Favorite tools
I've used bitblaze successfully to analyze a fair amount of malware. It's based on qemu. http://bitblaze.cs.berkeley.edu/
jacob (sh3dow) (not verified)
Sat, 10/18/2014 - 12:34
Permalink
thank for beautiful article
010editor as best paid (hex editor you should have also used by Lenny Zeltser & Didier Stevens)
also i use PETemplate.bt Parser for x86/x64 exe, dll, sys & PDFTemplate by Didier Stevens
you should have look to 010editor website
http://digital-forensics.sans.org/blog/2010/09/29/hex-editors-for-malwar...
http://www.sweetscape.com/010editor/templates/
http://www.sweetscape.com/010editor/
------
It is honor mention my name in your blog
DiabloHorn (not verified)
Sat, 10/18/2014 - 17:31
Permalink
Possible improvement
Hi,
If you start with the TOR machine and then install the Windows machine you could have a bit more assurance that your exernal IP will not leak. Now the external IP could maybe be in memory, since everything was downloaded without TOR.
Great article.
DiabloHorn
Aneel (not verified)
Thu, 10/23/2014 - 09:42
Permalink
Awesome
Thanks for sharing such interesting article its helpful for all who want to learn about malware analysis and reverse engineering ...All the best
SGFk (not verified)
Sat, 10/25/2014 - 19:20
Permalink
vboxmanage
It's actually possible to run VirtualBox machine in a 'headless' mode (here a'm talking about Whonix) coz u don't need to interact with it. And u haven't mentioned about PhantOm olly plugin, I find it useful. Thanks for sharing!
Dave (not verified)
Wed, 10/29/2014 - 11:35
Permalink
Share the VM please? :O
Share the VM please? :O
Omer Hayyam (not verified)
Thu, 11/13/2014 - 15:00
Permalink
Yes, we are waitin for, pls
Yes, we are waitin for, pls
Noah LehLeha (not verified)
Fri, 10/31/2014 - 04:22
Permalink
You may add the Windows symbols settings
_NT_SYMBOL_PATH = SRV*path_to_symbol_folder*http://msdl.microsoft.com/download/symbols
http://support2.microsoft.com/kb/311503/en
anonymous (not verified)
Mon, 11/17/2014 - 12:43
Permalink
Hi
Hi
thank you for giving us this details about your environment.
I want to ask about how much RAM is needed at least ?
siteadm
Mon, 11/17/2014 - 13:16
Permalink
Hi, I don't have a scientific
Hi, I don't have a scientific reason for how much RAM is needed, but I would recommend at least 4GB.
Windows 7 needs at least 1 GB RAM, Visual Studio needs at least 1 GB RAM, so if you consider also using IDA pro, running several instances etc. definitely you are going to need at least 4GB, but always more is better.
Anonymous (not verified)
Sat, 12/20/2014 - 09:27
Permalink
Improvement
It would be better to configuring virtual networking modes (e.g. Host-only) after install software.
Add new comment