Basic Malware Analysis And Removal Part 1: Setting up a Virtual Environment

Posted 5/9/2010 10:07:23 PM

For many computer users, identifying and removing malicious software (malware) is something that they consider to be too complex or out of reach. Furthermore, actually practicing removal techniques can be difficult unless you have a spare computer that you don't mind reformatting over and over just to test out a new malware program. With the advent of virtualization software and free tools, these problems are a thing of the past. In this article, I will teach you how to set up a new Virtual Machine (VM) and how to go about setting up Disk "Snapshots" so you don't have to reformat your VM every time you want to undo any changes you have made.

Step 1: Install VirtualBox and acquire a Windows Installation ISO file

While there are many different Virtual Machine host programs, I have found that VirtualBox is extremely easy to use, has all of the necessary features, and is also free. The latest version of VirtualBox can be downloaded for pretty much any platform at http://www.virtualbox.org/wiki/Downloads. Download and install the software. Once the installation is complete, run VirtualBox. You should see a window looks like this:
Virtual Box Main Window
One caveat to this process is that you will need a Windows ISO file and a license key (if applicable). I do not condone software piracy, so wherever you acquire these from is up to you. Depending on your version of Windows you may be able to legally install it on both a physical computer and a Virtual machine, but check your license agreement for details. Once you have your ISO file put it somewhere where you can find it easily (I usually use the desktop).

Step 2: Create a new Virtual Machine and a Virtual Hard Disk

Next, we will create the actual Virtual Machine and the associated Virtual Hard Disk. This is similar to going out and buying a new computer and a new hard drive. Once we have created this, we can then proceed to install our copy of Windows to it. Go ahead and click on the "New" button on the upper left, or click the "Machine" menu and select "New." The New Machine Wizard should open:

New Machine Wizard

Click on the "Next" button. You will have to choose a name for your Virtual Machine. For this tutorial I will call it "Test." Select the Operating System (in this case Microsoft Windows) and then the Version of Windows (for me it's Windows XP, it might be something different for you). Here's what my window looked like:

Virtual Machine Information

Click "Next" and choose the amount of memory you would like to assign to the Virtual Machine. Note that the source of this memory is the installed memory on your physical machine, so plan accordingly. Virtual Box will recommend an amount based on the OS you have chosen, and the slider changed color from green to yellow to red depending on how much of your available memory you have assigned to the virtual machine. Assign as much as you can, but remember that you will want to be able to use your physical machine as well. For my VM I have assigned it 1/4 of my total physical memory, or ~2GB:

Memory Selection

Now we have set up the new "Computer," but it does not yet have a hard drive. Click "Next" and you will see the Virtual Hard Disk setup screen. Leave the settings the way they are and click "Next." This will open the Virtual Hard Disk Wizard:

Virtual Hard Disk Wizard

Click "Next." For Virtual Hard Drives, VirtualBox (and pretty much all VM programs) gives you two choices: Dynamically Expanding or Fixed storage. When the VM software saves the contents of the Hard Drive for your Virtual Machine, it does so in a single file. The difference between the two options is how the file is saved on your computer. Dynamically expanding storage means that you set a virtual hard drive capacity and this is what is reported to the "Guest" operating system, but the actual file on your physical computer is only as large as the "Used" space on the Guest Hard Drive. If you choose Fixed storage, the file size on your physical computer is the same as the capacity of the Virtual hard drive. I always use dynamic expansion as this allows me to save more room on my physical hard drive. Go ahead and click "Next." The Location and Size options are displayed:

Location and Size options

For the Location, you will see the name you selected for your Virtual Machine. In my example, it is Test. You do not have to change this. VirtualBox selects a recommended capacity based on the OS you selected in the beginning. Remember that this is not the size of the file on your computer unless you selected Fixed size for the Virtual Hard Disk storage type. I recommend using the recommended setting, which is 10 GB for Windows XP. Click "Next," and then click "Finish" twice. Your Virtual Machine is now created and should be shown in the VirtualBox main window:

Main Window with a Virtual Machine

We now have a new Virtual Machine and Hard Disk, but no Operating System loaded onto it.

Step 3: Installing the Guest Operating System from the ISO file

In order to install the OS we have selected, we need to tell the Virtual Machine that our ISO file is the "Disc" inserted into the CD/DVD drive on the Virtual Machine. Make sure your new virtual machine is selected and click on the "Machine" menu and select "Settings." Click on the "Storage" option on the left and finally click on the option called "Empty" with the CD icon next to it. Your screen should look like this if you're lost:

CD Settings

From there, we need to tell the Virtual Machine that the CD drive is not "Empty." Click on the folder icon next to the "CD/DVD Device" option to open up the "Virtual Media Manager" window:

Virtual Media Manager

Click the "Add" button on the top left or click the "Actions" menu and select "Add." Navigate to where you stored your ISO file, select it, and click "Open." The ISO file will now show up in the Virtual Media Manager. Click the "Select" button on the bottom right to choose the ISO and close the Virtual Media Manager. If you did everything correctly, you should be back to the settings page for your virtual machine and the CD Drive should not be "Empty" anymore, it should have the name of your ISO file:

VM with ISO selected

If your settings look the same (an ISO file instead of "Empty"), go ahead and click "OK." If not, go back and try the previous steps again. You should be at the main window. Go ahead and select your Virtual Machine and click the "Start" button on the upper left, or go to the "Machine" menu and select "Start." This will boot up your Virtual Machine. A new window will open and you will see...a notice:

Auto Capture turned on

This dialog is informing you that you have the "Auto capture keyboard" option turned on. In short, whenever you click on the VirtualBox window for your Virtual Machine (which you will see in a moment), the mouse and keyboard input will only go to that window. You could try to move your mouse out of the window all day and it won't leave the window. This is normal, and we will fix it later so you can move your mouse in and out of the Window. For now, whenever you have to type into the Virtual Machine window or have to move the virtual mouse, simply click on the window and it will "Capture" your input. To leave the window (that is, work on your physical machine), simply click the Control key on the right hand side of your keyboard (it's important that you use the one on the right, the left side one will not work). I recommend clicking the "Do not show this message again" checkbox and then click "OK." You will now see the VirtualBox BIOS screen (note that it should be in color, not grayscale, I had to play games with it to get . a screenshot):

VirtualBox BIOS

If your ISO file is loaded correctly and everything goes well, you should now get the setup screen for your copy of Windows. When you click on the window for the first time, you will get another notice window:

Capture Warning

This message is simply alerting you that you are going to "Capture" your input to the screen. As I explained previously, this is ok as long as you understand that you must click the Right Control key on the keyboard to leave the Virtual Machine window. Go ahead and click the "Do not show message again" checkbox and click Capture. I am going to assume that you know the steps for installing your copy of Windows at this poing. If not, Google is your friend, as Windows installation is outside the scope of this article. The installation process is the same as it is for any other computer.

Step 4: Install Windows Updates and VirtualBox Guest Additions

Once you have Windows installed, I recommend running Windows Update and getting the latest updates. If you are using this machine for Malware testing, you may not want to do so if you want to exploit old bugs in Windows. In this case, I would recommend turning Windows Update off. Once you have performed your updates, you should then install "VirtualBox Guest Additions." These tools expand the capabilities of your VM by allowing things such as file sharing between the VM and the host computer and also the removal of "Capturing" the Input every time you click on the Window. Another great feature is that the screen resolution of the VM will adjust to the size of the window you put it in. To install the additions, make sure you have your VM open and running and open the "Devices" menu and select the last entry "Install Guest Additions":

Guest Additions menu item

The installation wizard should open up inside of your Virtual Machine (The Guest Additions installer is located on an ISO file which gets loaded into your VM's "CD Drive" and auto-executed by Windows, so no real magic is occurring here, but it sure looks like it). Complete the installation wizard and then restart your Virtual Machine. You will get a dialog box telling you that the VM supports "Mouse Pointer Integration." Basically you don't have to click the Right Control key anymore to switch from the VM to your computer. Click "Do not show this message again" and close the dialog. You will now be able to move your mouse freely from the VM to your computer and back without a problem.

Step 5: Install your Software and create a Snapshot

Now that you have a working VM, go ahead and install any software that you may want to use in the VM. Also go through and configure any settings for Windows or any applications at this time. Basically, you want to get the VM to a configured state so that we can take a "Snapshot" of it. Basically, VirtualBox has the ability to undo any changes you made to your VM when it was running and restore it to the state it was in when you made the last "Snapshot." This is very useful when testing Malware, as the system does not have to be reformatted, simply rolled back to the last Snapshot. Once you have Windows configured the way you want, go ahead and shut it down. Once the machine is shut down, click on the "Snapshots" tab on the main window:

Snapshots

Go ahead and click on the camera icon in the top center of the screen. The "Take Snapshot" dialog opens. Create a name for the snapshot and give it a description. I named mine "Clean Install" and gave it a fitting description:

Snapshot information

Click "OK." You will return to the main window. From here, you can see that your snapshot was created along with a "Current State." The current state represents any changes made to the snapshot. From now on, when closing a Virtual Machine, you can simply open the "Machine" menu and select "Close." There will be an option to restore the previous snapshot which will undo anything you have changed on the VM since that snapshot was taken.

Conclusion

We have covered a lot of ground here, from installing VirtualBox to configuring a new Virtual Machine with Snapshots. I hope this was informative to you, and please let me know if you have any comments, questions, concerns, etc. in the comment section below. Thanks for reading and stay tuned for Part 2 of the Malware Analysis series!

-Ryan

Comments for "Basic Malware Analysis And Removal Part 1: Setting up a Virtual Environment"


There are no comments

Leave a Reply

Note: You may leave any field blank if you choose to do so

Your Name:

E-Mail (will not be published):

Comment: