2. Creating VM for Malware Analysis

Virtual Machines

You do not want to analyze malware on the device where all our personal files and data are stored. For this reason, we need isolated devices for malware analysis.

You can install a virtual operating system inside your own device using virtualization softwares. In this way, you can create your isolated system without the need to purchase a physical device.

There are several virtualization environments that you can use for a fee or for free. The most popular of these are VMware Workstation by VMware and VirtualBox by Oracle company. Both virtualization softwares will meet your needs for analyzing malware.

There are some disadvantages of using the virtualization softwares.

• The virtual operating system you will install will not work as well as a physical computer since it runs on your main operating system.

• Since virtualization softwares are also software, vulnerabilities may arise in these softwares. A malware that exploits these vulnerabilities can escape from the virtual environment and infect your main operating system. For this reason, you may want to keep your virtualization software constantly updated!

• In order for virtualization software to work, it needs to install its own drivers into virtual operating systems and create various configuration files / registries. Malware can make analysis difficult by checking such indicators and checking whether it works in a virtual environment.

We will use the VMware Workstation product in this tutorial. Some features may differ.

Adjusting Virtual Machine

You should make the virtual operating system suitable for malware analysis, otherwise the malware can infect other devices in the same network.

1) Network Settings

In order to prevent the malware that we will analyze from infecting other devices on the network, we must change the network settings of the operating system we have installed from the virtualization software. We have to enter the "Network" settings from the settings section and select the "Custom" option here.

private1

• NAT: Allows you to access the Internet through the network interface of your physical device.

• Bridge: Allows you to access the internet by obtaining its own IP address from your modem like your physical device.

• Custom: It is included in the private network created by the virtualization environment. Internet access is not available in this option.

In order to prevent the malware we will run from spreading to other devices in the network, we must restrict the network access of our virtual operating system, so we should choose the "Custom" option.

2) Disable Anti-Virus Software

We need to disable anti-virus software to prevent anti-virus software from interfering to our analysis by blocking or removing the malware we want to analyze.

3) Disable Updates

Malware may be exploiting various vulnerabilities. During our dynamic analysis, we must prevent our virtual operating system from receiving security updates so that the malware can successfully exploit such vulnerabilities and continue to run. For this reason, we must disable the automatic update option of our operating system.

4) Disable Hidden Extensions

By default, known file extensions are hidden in the Windows operating system. We need to disable this feature in order to see the exact name of the file we want to analyze.

private2

5) Disable Hidden Files and Folders

Hidden files are not displayed by default in the Windows operating system. Malware makes it difficult to detect by taking advantage of this feature. In order to see what is happening in the file system exactly, we need to disable this feature.

private3

Snapshots

When we run malicious software, it makes various changes on the system. If you do not revert the operating system to its original state, you may confuse it with the malware you used to run while analyzing a new malware.

It will be very difficult to install a new virtual operating system every time we want to analyze malware. The Snapshot feature of virtualization software makes our job very easy.

private4

When you take a snapshot of your virtual device through the virtualization environment, it saves the current state of the device. You will then return to this snapshot and restore the device.

After installing the necessary tools for malware analysis, you can take a snapshot and return to this snapshot after the analyzing malware and return original state of the operating system.

List of Virtual Appliances and Operating Systems for Malware Analysis

• FLARE VM (Windows)

• REMnux - Virtual Appliance (Linux)

• SIFT Workstation by SANS (Linux)