1 / 11

2 . Preparing the Lab

Learn about the importance of a safe lab environment for malware analysis, including isolation methods, advantages, and disadvantages of using physical machines and virtual machines, and networking options. Discover how virtualization software like VirtualBox and VMWare can enhance the analysis process.

amichelle
Download Presentation

2 . Preparing the Lab

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 2. Preparing the Lab Malware Analysis

  2. Need for a Safe Lab Environment • Isolated environment helps prevent infection of systems • The malware under analysis can have unpredictable behavior • Required for both static and dynamic analysis • Two typical lab environments are • Use of physical machines with airgapped network • Use of virtual machines

  3. Using Physical Machines • Advantages • Run on the actual systems the malware was designed to execute on • This can limit anti-analysis behavior • Isolate physical machines by using airgappednetworks • Machines are isolated from the internet and other computers that are connected to networks • Avoids malware’s use of anti-analysis techniques • Disadvantages • Once a system is infected, it can be difficult and/or time consuming to remove the infection • Requires more hardware and dedicated network setup

  4. Using Virtualization • Virtual machines (VM) allow a host operating system (OS) to run multiple instances of a guest OS • This can be thought of as a computer running within another computer • Virtual machines can be isolated from the host OS • This allows for safe and convenient malware analysis • However, there have been instances where guest-to-host vulnerabilities exist

  5. Virtual Machines • Advantages • Allow for the creation and usage of multiple OSes within a single host • Ability to create snapshots of the guest OS – this allows for rapid restoration of a previous state Disadvantages • Misconfiguration can allow malware to infect the host or other systems on the network • Taxing on hardware and requires adequate host system performance • Vulnerabilities have been known that allows for guest-to-host escape

  6. Virtualization Software • VirtualBox • Maintained by Oracle • Released under GPL version 2 – there is no license cost • Provides the ability to snapshot VMs • Available at: www.virtualbox.org/wiki/Downloads

  7. Virtualization Software • VMWare • Offers multiple products • Workstation Player • Free for non-commercial use • There are limitations – such as the inability to create snapshots • Workstation Pro • Supports *nix and Windows • Requires a license • Fusion • Available for Mac OS X – requires a license

  8. Networking a VM • Several networking options available to VM • Typically consist of the following options: • Network adapter is not connected • NAT • Bridged • Host-only

  9. Networking a VM – Configuration Options • Host-only • Private LAN between guest and host OS • Allows malware some networking capability but doesn’t allow access to other systems on the host OS’s network or the internet • Virtual network adapters are created between the host and guest, physical network is not utilized

  10. Networking a VM – Configuration Options • NAT • Virtual DHCP server is created and assigns IP addresses on private network • VM is allowed network access through the host OS – both systems share a singular identify outside the private LAN • Bridged • Connects the VM directly to the network using the host network adapter

  11. Snapshots • Provide a convenient way to save the state of a virtual machine • Ideal setup is to install OS, configure all tools and the network – then take a snapshot • This can become your baseline, clean snap shot • Next, execute the malware you want to analyze • Rollback to clean-state snapshot when done and now you’re ready to repeat

More Related