Building Your Malware Lab: A Guide to Safely Obtaining and Analyzing Malware Samples
Malware Handling
I discussed some general options for building a home lab in an earlier blog article, but I wanted to make another article walking through my malware analysis setup and methods of obtaining samples for analysis. It should go without saying, but performing malware analysis does have inherent risks. When you perform malware analysis you are making the conscious decision to download and in some cases run malicious files. It’s imperative that you always follow industry best practices to limit the risks to your own systems. Below are a few best practices I use for handling malware:
When storing or transporting samples it is best to store them as password-protected zip files. Typically analysts will use “malware” or “infected” as the password. This will make it impossible for you to click on a sample and run it automatically by mistake. Zipping the files also limits the risks of your Antivirus or other Security Solution flagging and quarantining the sample.
As an additional precaution, you can add an unused file extension like “.malz” to the file. On Windows, the operating system uses file extensions to determine how to open or run the program. Using a .malz extension, the file will not automatically execute if you double-click on it by mistake.
If you are analyzing Linux files, removing the executable permission is a good best practice (chmod -x). Then reenable it before you perform dynamic analysis.
Before performing dynamic analysis I always do a second check that my virtual machine is disconnected from the internet and the interface I am using is set to host only. (I will get into this configuration setting in more detail below)
When you first start analyzing samples working with live malware can be nerve-racking, but as you get more reps in it's important to always handle them with the same caution and not become complacent.
Configuring Your Lab
As I discussed in the previous article you have a few options to host your lab. If you like using the cloud, VMware, Virtualbox, or another virtualization technology you can use whatever you are comfortable with. I am going to quickly run down the Virtual machines I use in my own setup.
I personally like to use FLAREVM. FLARE is an amazing Reverse Engineering Virtual Machine created by Mandiant. It is built on Windows and installs a variety of tools used for reverse engineering and malware analysis. The tools are installed in folders based on their function, so it's easy for new analysts to walk through various tools and quickly identify what they are used for.
I think the FLARE VM is a great starting point and will provide most of the tools for analysis for you. Depending on the type of malware you are analyzing, this might not always be the best VM to use, however. Sometimes malware is designed to target a specific operating system. If you want to see the malware’s full capabilities you may need to run it on an older version of Windows, Linux, or Mac. In those cases, it may be useful to analyze the malware on a different version of Windows or in the case of Linux malware on a Linux host, but generally speaking, you can accomplish most of your analysis using FLARE.
The second VM I set up is Remnux. I primarily use it to provide fake network services during dynamic analysis, but Remnux has a variety of additional malware analysis tools built into it as well.
In terms of the Virtual Machine configuration. I set the network adapter to host only before performing the analysis. This disconnects the virtual machine from the internet and reduces the risk of the malware escaping from the Virtual Machine onto your home network. If you want a more robust explanation of the host-only feature I would recommend reading directly from VMware here.
Next in order to perform dynamic analysis, I manually configure the networking information on my FLARE VM. I will copy its currently assigned IP address, set the network configuration panel to static, and then enter the IP address again manually. Then I take the IP address assigned to my Remnux VM and set that as the gateway and the DNS for the FLARE VM. By setting this configuration any traffic leaving the FLARE VM will go to the Remnux VM. When we start performing dynamic analysis we will set up fake network services with INETSIM and FakeDNS to log the traffic.
Finally, once the virtual machines are configured with all the right tools, I always take a snapshot of the virtual machine in a clean state. This way once you are done analyzing a sample, you can revert the virtual machine to a clean snapshot and move on to the next sample.
Getting Malware Samples
Now that you have a malware lab set up….you may be wondering “How do I get malware samples to analyze?”. That is a great question. Fortunately for us, there are a variety of online malware repositories that categorize and store samples. Some will allow you to download them for analysis for free and others require an account or an enterprise subscription. I will list a few of my personal favorites below, but there are tons of repositories out there. Many of them have tagging features that will enable you to search for specific samples will you are learning. I personally like to find samples someone has blogged about or that have a lot of open source reporting. Then I try to walk through the sample and compare notes. I think that’s a great way to learn and build confidence in your skills.
Remember if you decide to download any files to always put your own safety first. Happy reversing!