وحدة 1
Setting up a malware analysis environment
آخر تحديث في: 23 أغسطس 2024
تعديل هذه الصفحة على GitHubوحدة 1
آخر تحديث في: 23 أغسطس 2024
تعديل هذه الصفحة على GitHubBefore you start analyzing any malware, you need to set up a safe environment to do so. Definitionally, malware does bad things to the systems it runs on. You do not want to run it on your primary system. Additionally, you likely will want to prevent the malware from actually making connections to the threat actor’s C&C (command and control) servers. Both of these mean that you should set up a virtual machine to use when performing malware analysis.
After completing this subtopic, the practitioner should be able to set up a virtual machine (VM) and take snapshots therein.
The exact setup you need depends on your analysis method and the operating system of the malware you’re analyzing. In most cases you can start with a pre-build linux VM like REMnux. See Chapter 6 of the Field Guide to Incident Response for Civil Society and Media for step-by-step instructions on how to configure it. For specific things (for example, dynamic analysis of iOS malware) you will need additional tools (for example, a jailbroken iPhone or iPad). VMs occasionally have vulnerabilities that allow software running in the VM to attack the host operating system. Most malware doesn’t even come close to this level of sophistication, but if in doubt, it’s safest to analyze malware on a separate physical device that is wiped afterwards.
To set up REMnux, we recommend that you follow the steps outlined in Chapter 6 of the Field Guide to Incident Response for Civil Society and Media and download the VM1. This is an easy way to start which provides excellent isolation between your host system and the REMnux environment. Be careful not to share sensitive data from your host OS into the VM. Per the instructions linked above, take a snapshot of your VM once it’s been set up, and before you start working on any malware. You can use snapshots to return your VM to a known-good state before analyzing different pieces of malware and to isolate different clients from each other. For more information on VM snapshots in general, see this article.
While performing malware analysis, you may find that you want additional tools in your analysis VM. Go ahead and install and configure them, but note what you did. After you’re done with your analysis, you can load up your “clean” VM snapshot, install and configure the tool, and then make a new “clean” snapshot for your next malware analysis adventure.
In order to move malware files around, the standard practice is to put them in encrypted ZIP files. In this case, the encryption quality doesn’t matter. The point is not to keep the malware secret, so much as to prevent inadvertently unleashing it on other systems and to prevent anti-malware systems from detecting or deleting it. Feel free to include the password in the ZIP file name.
Go to the folder which your virtual machine uses to share files between the host and guest operating systems. Add a file there and then compute a cryptographic hash of this file in both operating systems. Make sure that the hashes match.
Field Guide to incident response for civil society and media
FreeGuide on analyzing potentially malicious content, setting up virtual machines, and more.
REMnux
FreeWebpage for the REMnux Linux distro, widely used for malware analysis.
Get the virtual appliance
FreeGuide on installing and running REMnux as a virtual machine.
The difference between snapshots and backups
FreeArticle explaining the distinctions between VM snapshots and backups, crucial for managing and resetting VMs used in malware analysis.
REMnux is not available on ARM processors such as Apple Silicon computers. While it is possible to virtualize across CPU architectures using emulators such as QEMU or UTM (VirtualBox does not currently support ARM architectures), performance will be slow and is not advised. It would make more sense to select another Linux distribution which supports your hardware and install the necessary software packages to complete the activities, if they did not already come with the operating system. Kali Linux is a popular Linux distribution which will include or support many tools also found in REMnux. If you have an Apple Silicon device, you can use UTM (https://mac.getutm.app/)) to run the Apple Silicon (ARM64) Kali Installer image. Walkthrough guides are available from both UTM and Kali. At the time of writing, a bug affecting the installer process requires an additional step during installation of attaching a virtual serial terminal display – both walkthroughs describe this process. You can also obtain an ARM version of Kali for the Raspberry Pi, with most models of Raspberry Pi supported. ↩︎
تهانينا على انتهاء وحدة 1!
وسم المربع لتأكيد اكتمالك والمتابعة إلى الوحدة التالية.
يوسم الوحدة الحالية كمكتملة ويحفظ التقدم للمستخدم.
لقد أكملت جميع الوحدات في مسار التعلم هذا.