Computer Security

Analyzing Malware in Virtual Machines

Eng. Mahmoud Al-Hoby 1

Safe Malware Analysis
• Traditional malware analysis may not always yield satisfying results,
and in many cases, we need to run the malware in order to determine
its functionality.

• But, its dangerous to run an unknown and potentially malicious piece

of code in production machines, and therefore, we must run the
samples in a controlled environment.

Eng. Mahmoud Al-Hoby 2

Safe Malware Analysis
• A Controlled Environment can be either a physical or a virtual
machine, but its preferred to use a Virtual Machine, due to the
scalability and the ability to create snapshots and restore them easily
and quickly.

Eng. Mahmoud Al-Hoby 3

Structure of a Virtual Machine
• Virtual machines are like a computer inside a computer.

• A guest OS is installed within the host OS on a virtual

machine, and the OS running in the virtual machine is kept
isolated from the host OS.

• Malware running on a virtual machine cannot harm the host

OS. And if the malware damages the virtual machine, you can
simply reinstall the OS in the virtual machine or return the
virtual machine to a clean state
Eng. Mahmoud Al-Hoby 4
Structure of a Virtual Machine

Eng. Mahmoud Al-Hoby 5

Creating Malware Analysis VM
• We simply need to create a Virtual Machine, that we would
use to scan malware with it, However, we need to consider
the following:
• Enough Storage
• Suitable RAM
• Operating System
• VMWare Tools
• Malware Analysis Tools
• Host-Only Networking

Eng. Mahmoud Al-Hoby 6

Host-Only Networking
• Commonly used for malware analysis, usually creates a
separate private LAN between the host OS and the guest OS.

• Not connected to the Internet, which means that the

malware is contained within your virtual machine but
allowed some network connectivity.

Eng. Mahmoud Al-Hoby 7

Host-Only Networking

Eng. Mahmoud Al-Hoby 8

Monitoring Malware Actions
• We must simulate all network services on which the malware
relies. For example, malware commonly connects to HTTP
server to download additional malware.

• To observe this activity, we need to grant the malware access to:

• DNS Server: to resolve the IP addresses that the malware need to
connect to.
• HTTP Server: to monitor the actual requests/responses that the
malware creates

Eng. Mahmoud Al-Hoby 9

Taking Snapshots
• Using Virtual Machines, we have the advantage of Snapshots,
where a snapshot is a saved state of the system, that can be
restored anytime, similar to Windows Restore Point.

• For example, we can create a snapshot before the execution of

the malware, and then some snapshots during the execution,
and one final snapshot after the execution completes.
• This would help us understand every action and modification that the
malware made to the system.

Eng. Mahmoud Al-Hoby 10

Taking Snapshots

Eng. Mahmoud Al-Hoby 11

Taking Snapshots (VMware Workstation)

Eng. Mahmoud Al-Hoby 12

Malware Analysis in Virtual Machines
• Running and analyzing malware using Virtual Machines involve the
following steps:
1. Start with a clean snapshot with no malware running on it.

2. Transfer the malware to the virtual machine.

3. Conduct your analysis on the virtual machine.

4. Take your notes, screenshots, and data from the virtual machine and
transfer it to the physical machine.

5. Revert the virtual machine to the clean snapshot.

Eng. Mahmoud Al-Hoby 13
Basic Dynamic Analysis

Eng. Mahmoud Al-Hoby 14

Basic Dynamic Malware Analysis
• Dynamic analysis is any examination performed after executing
malware.

• Its techniques are the second step in the malware analysis

process, and is typically performed after basic static analysis has
reached a dead end.

• It allows us to observe the malware’s true functionality.

Eng. Mahmoud Al-Hoby 15

Basic Dynamic Malware Analysis
• It allows us to observe the malware’s true functionality, for
example, if the sample is a keylogger, then dynamic analysis
would inform us about:
• Location of the Keyloggers log file,
• The kinds of records it keeps,
• Decipher where it sends its information.
• ...

Eng. Mahmoud Al-Hoby 16

Malware Sandbox
• A Sandbox is a security mechanism for running untrusted
programs in a safe environment without fear of harming “real”
systems.

• A Malware Sandbox is an all-in-one product, that can be used to

perform basic dynamic analysis, and the most popular ones use
sandbox technology.

Eng. Mahmoud Al-Hoby 17

Malware Sandbox
• Example Malware Sandboxes include:
• Norman Sandbox
• GFI Sandbox
• Anubis
• Joe Sandbox
• ThreatExpert
• BitBlaze
• Comodo Instant Malware Analysis

Eng. Mahmoud Al-Hoby 18

Malware Sandbox

Eng. Mahmoud Al-Hoby 19

Malware Sandbox Drawbacks
• If the malware executable requires command-line options, it will not
execute any code that runs only when an option is provided.

• It may not record all events, because nor the sandbox would wait long
enough.
• If the malware is set to sleep for a day before it performs malicious activity, you
may miss that event.

• The sandbox environment OS may not be correct target for the malware.
• For example, the malware might crash on Windows XP but run correctly in
Windows 7.

Eng. Mahmoud Al-Hoby 20

Malware Sandbox Drawbacks
• Some malware can detect if its running in a virtual machine,
and if it does, the malware might behave differently, and not
all sandboxes take this issue into account.

• Some malware requires certain registry keys or files that might

not be found in the sandbox.

• If the malware is a DLL, certain exported functions will not be

invoked properly, because a DLL will not run as easily as an
executable.
Eng. Mahmoud Al-Hoby 21
Running Malware
• Basic dynamic analysis techniques are useless without
running the malware.

• The majority of Malware will be either EXE or DLL files,

• EXE Files: Running them is simple, all we need is double-click the
malware, BUT for
• DLL Files: can be tricky to launch, because Windows doesn’t know
how to run them automatically.

Eng. Mahmoud Al-Hoby 22

Running Malware
• To run a DLL file, we can use the built-in windows program
rundll32.exe

• The Export argument is the name of the function that we

want to run.

Eng. Mahmoud Al-Hoby 23

Running Malware
• For example, if a file have two functions (Install, Uninstall),
then we can run the Install function in the DLL by using this
syntax

C:\>rundll32.exe rip.dll, Install

Where rip.dll is the DLL file that we want to run

Eng. Mahmoud Al-Hoby 24

Monitoring with Process Monitor
• Process Monitor, is an advanced monitoring tool for
Windows that enables us to monitor certain registry, file
system, network, process, and thread activity.

• It combines and enhances the functionality of two legacy

tools: FileMon and RegMon.

• But it can’t detect everything, and it shouldn’t be used to

monitor network activities

Eng. Mahmoud Al-Hoby 25

Monitoring with Process Monitor

Eng. Mahmoud Al-Hoby 26

Filtering in Process Monitor
• ProcMon supports different types of Filters, which is useful
for malware analysis, since we can specify the information
that we’re looking for.

• For example, we can Filter for certain API calls, like

RegSetValue, CreateFile, WriteFile, or any other suspicious
or destructive calls.

Eng. Mahmoud Al-Hoby 27

Filtering in Process Monitor

Eng. Mahmoud Al-Hoby 28

Monitoring with Process Monitor
• ProcMon provides helpful automatic filters on its toolbar. Which
include:

Registry Can tell if and how malware installs itself in the registry

Can show all files that the malware creates or the

File System
configuration files it uses.

Can tell you whether the malware create additional

Process Activity processes.

Can show you any ports on which the malware is

Network Actvitiy listening.

Eng. Mahmoud Al-Hoby 29

Viewing Processes with Process
Explorer
• The Process Explorer, free from Microsoft, is an extremely
powerful task manager that should be running when you are
performing dynamic analysis.

• It can provide valuable insight into the processes currently

running on a system.

Eng. Mahmoud Al-Hoby 30

Viewing Processes with Process
Explorer
• We can use Process Explorer to do the following:
• List all active processes and DLLs loaded by a process,
• Access to various process properties
• View the overall system information.
• Kill a process
• Log users out
• Launch and validate processes.

Eng. Mahmoud Al-Hoby 31

Viewing Processes with Process
Explorer

Eng. Mahmoud Al-Hoby 32

Viewing Processes with Process
Explorer

Eng. Mahmoud Al-Hoby 33

Comparing Registry Snapshots with
Regshot
• Regshot is an open source registry comparison tool that allows
you to take and compare two registry snapshots.

• To use Regshot for malware analysis:

• First, take a shot by clicking a special button button,
• Then, run the malware and wait for it to finish making any system
changes.
• Take a second shot by clicking a special button.
• Finally, Use Compare function to compare the two snapshots.

Eng. Mahmoud Al-Hoby 34

Comparing Registry Snapshots with
Regshot

Eng. Mahmoud Al-Hoby 35

Faking a Network
• Malware often communicate with a command and-control
server.

• We can create a fake network to quickly obtain network

indicators, without actually connecting to the Internet.
• These indicators can include DNS names, IP addresses, and packet
signatures.

Eng. Mahmoud Al-Hoby 36

Faking a Network - ApateDNS
• ApateDNS, a free tool from Mandiant (now FireEye), and it’s
the quickest way to see DNS requests made by malware.

• ApateDNS can spoof DNS responses to a user-specified IP

address by listening on UDP port 53 on the local machine.

• It responds to DNS requests with the DNS response set to an IP

address you specify.

Eng. Mahmoud Al-Hoby 37

Faking a Network - ApateDNS

Eng. Mahmoud Al-Hoby 38

Faking a Network - Netcat
• Netcat, is a networking program that can be used over both
inbound and outbound connections for port scanning,
tunneling, proxying, port forwarding, and much more.
• In Listen Mode, Netcat acts as a server, while in Connect Mode it acts
as a client.

• Netcat takes data from standard input for transmission over

the network. All the data it receives is output to the screen via
standard output.

Eng. Mahmoud Al-Hoby 39

Faking a Network - Netcat

Eng. Mahmoud Al-Hoby 40

Faking a Network – Packet Sniffing
Wireshark
• Wireshark is an open source sniffer and packet capture tool that
intercepts and logs network traffic.

• Wireshark provides visualization, packet-stream analysis, and in-depth

analysis of individual packets.

• It can be used to analyze internal networks and network usage, debug

application issues, and study protocols in action. But it can also be
used to sniff passwords, reverse-engineer network protocols, steal
sensitive information, and listen in on the online chatter at your local
coffee shop.
Eng. Mahmoud Al-Hoby 41
Faking a Network – Packet Sniffing
Wireshark

Eng. Mahmoud Al-Hoby 42

Wrapping Basic Dynamic Analysis Up

Eng. Mahmoud Al-Hoby 43

Basic Dynamic Tools in Practice
• All the tools discussed in this chapter can be used in concert to
maximize the amount of information gleaned during dynamic
analysis.

• Now, lets take a look at all the tools discussed so far, as we present a
sample setup for malware analysis.

Eng. Mahmoud Al-Hoby 44

Basic Dynamic Analysis Procedure
1. Running ProcMon and add a filter on the malware executable name
and clearing out all events just before running.
2. Start Process Explorer
3. Use RegShot to create a first snapshot of the registry
4. Setup a virtual fake network using ApateDNS and NetCat
5. Setup network traffic logging using Wireshark

Eng. Mahmoud Al-Hoby 45

Analysis Process
1. Examine ApateDNS to see if DNS requests were performed
2. Review the procmon results for file system modifications
3. Compare the two snapshots taken with Regshot to identify changes
4. Use Process Explorer to examine the process to determine whether
it creates threats or listens for incoming connections
5. Review the Wireshark capture for network traffic generated by the
malware.

Eng. Mahmoud Al-Hoby 46