Building Ultimate Anonymous Malware Analysis and Reverse Engineering Machine
In this article, I'll show you my malware analysis environment and setup. I have to say that all software and configurations written in this article are totally my personal preference, this is my configuration and I like it, but please don't hesitate to share your ideas. So I'll start from very beginning: OS installation. For malware analysis, OS may vary, some malwares may only work on certain OS, so it's better to have several of them. Personally, I have XP SP3 with all updates that was available and Windows 7 x64.
Also definitely, no one would like to do malware analysis on their main OS, so I personally use Debian as my main OS, inside Debian, I installed VirtualBox and I use it as main software for virtualization. I highly recommend it.
1) Install VirtualBox in your main operating system. Create an empty folder called shared and share new folder you've created for guest OS.
2) Install a new fresh Windows version of your choice and update it. I usually update because sometimes I also do Windows patch analysis on these machines, so I need to have up-to-date patches to be able to do proper bindiffing.
3) Install VirtualBox guest addition.
4) Install and configure required softwares, here is my list:
- Go to Explorer -> Folder options -> Uncheck hide extensions for known file types, uncheck Hide protected operating system files and choose Show hidden files, folder and drives.
- Install Chrome (no one would like to work with IE) and instantly download and install AdBlock plus.
- Download and install Winrar/7Zip or both which I prefer both.
- Install Visual Studio 2008/2010/2012/2013. I personally install VS2008 and sometimes VS2010 too (together). But latest version of VS should work.
- Install latest version of Python 2.7. It just works fine and IDA Pro likes it. Then download and save this file and run python get-pip.py. Add C:\Python27 and C:\Python27\scripts to your PATH. Open new command prompt and run "pip install yara", "pip install pycrypto", "pip install winappdbg", "pip install pefile" and finally download and install jsunpack manually.
- Install Notepad++.
- Create a folder called Tools in C:\
- Download and extract RDG packer detector to C:\Tools\RDG. When you run it for first time, it tries to setup context menu which I choose yes. If you do so, you'll be able to right-click on binaries and let RDG scan it easily.
- Download and install CFF Explorer. Run CFF Explorer, go to Settings and click Enable shell extensions.
- Download and extract PeID to C:\Tools\PeID. Download userdb.txt and overwrite the one in PeID folder. Run PeID -> Options -> Hardcore Scan and check Register shell extensions.
- Download and install IDA of your choice (Pro or free).
- Download and install dotPeek.
- Download and install NASM (goto latest version folder and download zip inside win32) and MASM. Install NASM to C:\Nasm and install MASM to C:\Masm32, add both folder to PATH environment variable.
- Download and extract Ollydbg to C:\Tools\Olly. Use this as Ollydbg.ini which will have nice theme for you (provided by email@example.com in comments section of my blog, thanks jacob!). Then install plugins of your choice, here is list of Ollydbg plugins I use: Olly advanced, Olly breakpoint manager, OllyBonE, OllyDumpEx, OdbgScript, StrongOD, Ultra String Reference, CopyHexCode, Multiline Ultimate Assembler and ImportStudio. Then goto Options -> Just in time debugging and make Ollydbg just-in-time debugger.
- Download and extract ImpRec to C:\Tools\ImpRec.
- If you want to do binary diffing (malware versions diffing or windows patch analysis) like I do, you need to also install TurboDiff, Patchdiff, IDACompare and DarunGrim.
- Install hex editor of your choice, but I suggest HxD as best free and Hex workshop as best paid.
- Install windows SDK (if you need development) which also installs WinDBG.
- Install windows WDK (driver development kit) if you need.
- Download and put these files in C:\Tools folder: UPX, GMER, Process Explorer, Handle, DebugView, Autoruns, RKU, Kernel Detective, Malzilla, ExeInfo, PEStudio, Dependency Walker, XORSearch, SWFTools, Java Decompiler, PiD.
- Download and install WireShark.
- Save and run this REG file:
REGEDIT4 [HKEY_CLASSES_ROOT\*\shell\cmdhere] @="Cmd&Here" [HKEY_CLASSES_ROOT\*\shell\cmdhere\command] @="cmd.exe /c start cmd.exe /k pushd \"%L\\..\"" [HKEY_CLASSES_ROOT\Folder\shell\cmdhere] @="Cmd&Here" [HKEY_CLASSES_ROOT\Folder\shell\cmdhere\command] @="cmd.exe /c start cmd.exe /k pushd \"%L\""
- Create desktop shortcuts for the tools you just installed. Results:
5) Shutdown virtual machine.
6) During malware analysis and possibly checking C&C servers of malwares, no one likes to share their real IP with malware authors. Specially nowadays with IP-to-location databases, only your IP will be enough to giveaway your approximate location. So here is what you need to do:
- Download Whonix-Gateway. (you should get .ova file)
- Go to VirtualBox manager -> File -> Import Appliance (or CTRL + I), choose .ova file, set CPU and memory settings and run it.
- After initial/first run, it will take you through some steps, follow them, set tor to start at startup, run "sudo apt-get update ; sudo apt-get upgrade" and use default password which is "changeme".
- Let Whonix run, minimize it and return to main VirtualBox manager.
- As Whonix is running and your main Virtual machine is powered off, go to VirtualBox manager and open your virtual machine's (reverse engineering machine) settings. Go to network -> Choose internal network -> Choose Whonix in name and Press OK to save.
- Now run your virtual machine again. Go to network settings and set followings:
IP address => 10.152.152.50 Subnet => 255.255.192.0 Gateway => 10.152.152.10 DNS server => 10.152.152.10
- Allow it to configure itself and Voila!
Guess what? I'm thousands of miles away from Netherlands and I can't speak Dutch (shame on me).
From now on, all applications running inside virtualbox will use this IP. Also if you want to change your TOR IP and TOR identity, I have created a shell script in desktop which does it for you. Do "nano newip.sh" and paste following:
#!/bin/sh tor-ctrl -a /var/run/tor/control.authcookie -P 9051 -c "signal newnym"
Save the file on your desktop and enable execute permission (chmod +x newip.sh), next time just double click on it and you'll have new identity.
7) Take snapshot with everything installed and configured, call it "Clean-Install". Now you can start analyzing all type of malware without worrying about your identity or damages malware may cause.
I think we've covered it all. Please let me know your suggestions in twitter/comment/email.