Building Ultimate Anonymous Malware Analysis and Reverse Engineering Machine

  • Posted on: 17 October 2014
  • By: siteadm

In this article, I'll show you my malware analysis environment and setup. I have to say that all software and configurations written in this article are totally my personal preference, this is my configuration and I like it, but please don't hesitate to share your ideas. So I'll start from very beginning: OS installation. For malware analysis, OS may vary, some malwares may only work on certain OS, so it's better to have several of them. Personally, I have XP SP3 with all updates that was available and Windows 7 x64. 

Also definitely, no one would like to do malware analysis on their main OS, so I personally use Debian as my main OS, inside Debian, I installed VirtualBox and I use it as main software for virtualization. I highly recommend it.

1) Install VirtualBox in your main operating system. Create an empty folder called shared and share new folder you've created for guest OS.

2) Install a new fresh Windows version of your choice and update it. I usually update because sometimes I also do Windows patch analysis on these machines, so I need to have up-to-date patches to be able to do proper bindiffing.

3) Install VirtualBox guest addition.

4) Install and configure required softwares, here is my list:

  • Go to Explorer -> Folder options -> Uncheck hide extensions for known file types, uncheck Hide protected operating system files and choose Show hidden files, folder and drives.
  • Install Chrome (no one would like to work with IE) and instantly download and install AdBlock plus.
  • Download and install Winrar/7Zip or both which I prefer both.
  • Install Visual Studio 2008/2010/2012/2013. I personally install VS2008 and sometimes VS2010 too (together). But latest version of VS should work.
  • Install latest version of Python 2.7. It just works fine and IDA Pro likes it. Then download and save this file and run python get-pip.py. Add C:\Python27 and C:\Python27\scripts to your PATH. Open new command prompt and run "pip install yara", "pip install pycrypto", "pip install winappdbg", "pip install pefile" and finally download and install jsunpack manually.
  • Install Notepad++
  • Create a folder called Tools in C:\
  • Download and extract RDG packer detector to C:\Tools\RDG. When you run it for first time, it tries to setup context menu which I choose yes. If you do so, you'll be able to right-click on binaries and let RDG scan it easily.

  • Download and install CFF Explorer. Run CFF Explorer, go to Settings and click Enable shell extensions.
  • Download and extract PeID to C:\Tools\PeID. Download userdb.txt and overwrite the one in PeID folder. Run PeID -> Options -> Hardcore Scan and check Register shell extensions.

  • Install windows WDK (driver development kit) if you need.

REGEDIT4

[HKEY_CLASSES_ROOT\*\shell\cmdhere]
@="Cmd&Here"

[HKEY_CLASSES_ROOT\*\shell\cmdhere\command]
@="cmd.exe /c start cmd.exe /k pushd \"%L\\..\""

[HKEY_CLASSES_ROOT\Folder\shell\cmdhere]
@="Cmd&Here"

[HKEY_CLASSES_ROOT\Folder\shell\cmdhere\command]
@="cmd.exe /c start cmd.exe /k pushd \"%L\""
  • Create desktop shortcuts for the tools you just installed. Results:

 

5) Shutdown virtual machine.

6) During malware analysis and possibly checking C&C servers of malwares, no one likes to share their real IP with malware authors. Specially nowadays with IP-to-location databases, only your IP will be enough to giveaway your approximate location. So here is what you need to do:

  • Download Whonix-Gateway. (you should get .ova file)
  • Go to VirtualBox manager -> File -> Import Appliance (or CTRL + I), choose .ova file, set CPU and memory settings and run it.
  • After initial/first run, it will take you through some steps, follow them, set tor to start at startup, run "sudo apt-get update ; sudo apt-get upgrade" and use default password which is "changeme".
  • Let Whonix run, minimize it and return to main VirtualBox manager.

  • As Whonix is running and your main Virtual machine is powered off, go to VirtualBox manager and open your virtual machine's (reverse engineering machine) settings. Go to network -> Choose internal network -> Choose Whonix in name and Press OK to save.
  • Now run your virtual machine again. Go to network settings and set followings:
IP address => 10.152.152.50 
Subnet =>     255.255.192.0 
Gateway =>    10.152.152.10 
DNS server => 10.152.152.10
  • Allow it to configure itself and Voila!

Guess what? I'm thousands of miles away from Netherlands and I can't speak Dutch (shame on me).

From now on, all applications running inside virtualbox will use this IP. Also if you want to change your TOR IP and TOR identity, I have created a shell script in desktop which does it for you. Do "nano newip.sh" and paste following:

#!/bin/sh
tor-ctrl -a /var/run/tor/control.authcookie -P 9051 -c "signal newnym"

Save the file on your desktop and enable execute permission (chmod +x newip.sh), next time just double click on it and you'll have new identity.

7) Take snapshot with everything installed and configured, call it "Clean-Install". Now you can start analyzing all type of malware without worrying about your identity or damages malware may cause.

I think we've covered it all. Please let me know your suggestions in twitter/comment/email. 

Comments

I've used bitblaze successfully to analyze a fair amount of malware. It's based on qemu. http://bitblaze.cs.berkeley.edu/

010editor as best paid (hex editor you should have also used by Lenny Zeltser & Didier Stevens)
also i use PETemplate.bt Parser for x86/x64 exe, dll, sys & PDFTemplate by Didier Stevens
you should have look to 010editor website
http://digital-forensics.sans.org/blog/2010/09/29/hex-editors-for-malwar...
http://www.sweetscape.com/010editor/templates/
http://www.sweetscape.com/010editor/
------

It is honor mention my name in your blog

Hi,

If you start with the TOR machine and then install the Windows machine you could have a bit more assurance that your exernal IP will not leak. Now the external IP could maybe be in memory, since everything was downloaded without TOR.

Great article.

DiabloHorn

Thanks for sharing such interesting article its helpful for all who want to learn about malware analysis and reverse engineering ...All the best

It's actually possible to run VirtualBox machine in a 'headless' mode (here a'm talking about Whonix) coz u don't need to interact with it. And u haven't mentioned about PhantOm olly plugin, I find it useful. Thanks for sharing!

Share the VM please? :O

Yes, we are waitin for, pls

Hi
thank you for giving us this details about your environment.
I want to ask about how much RAM is needed at least ?

Hi, I don't have a scientific reason for how much RAM is needed, but I would recommend at least 4GB.

Windows 7 needs at least 1 GB RAM, Visual Studio needs at least 1 GB RAM, so if you consider also using IDA pro, running several instances etc. definitely you are going to need at least 4GB, but always more is better.

It would be better to configuring virtual networking modes (e.g. Host-only) after install software.

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.