Before we start analyzing malware infections, we should set up an analysis environment. Collected IoCs and malware samples can and will harm your computer, as well as put your data at risk. This analysis environment will host all your analysis tools that will be used to perform static and dynamic analysis on the malware. Let’s learn How to set up Malware Analysis Environment.
First, it’s called sandboxing. That means that the malware sample will be analyzed in a separate environment where the infection will not cause any corruption of data. To be more precise, the scope is to isolate computer viruses from important data and networks. It would be like having a separate computer that does not contain any sensitive or personal data and neither have a network connection, making it impossible for malware to perform lateral movement and spread to other computers.
In this modern age with powerful computers, sandboxing can be achieved by leveraging virtualization. Using dedicated software solutions like VirtualBox or VMware Workstation, we’ll be able to set up a virtual machine for malware analysis inside your physical machine. It is advised that a separate computer would be used as the host for this virtualized environment—this way, the risk of infection is reduced considerably.
Another benefit of using virtualization is also the concept of snapshotting. This offers the capability to revert to a clean analysis machine after a virus infection by taking a snapshot of the clean VM. Snapshotting can also be used during analysis if we want to save the state of a computer infection so we can roll back to it and test out different scenarios.
For virtualization, you have the choice to go for a VirtualBox, which is free, or VMware Workstation.
Now we need an operating system for your virtual machine. Linux Ubuntu. All that is needed now is for you to set up VirtualBox or VMware Workstation and install Ubuntu. Please note that we’ll be using both Windows and Linux OS as part of your analysis workflow.
Isolate The Malware From The Production Network
Suppose we have your Sandbox workstation connected to the network. In the same network, we have hosted file servers, web servers, and other computers. Your sandbox machine might become compromised, and the computer virus might gain capabilities to execute malicious commands on your system. Unfortunately, the damage does not stop here. For some advanced types of viruses, based on the level of access gained on your analysis computer, it can spread laterally to other computers on the network, compromising them as well. This is also called lateral movement. This is a scenario that we want to avoid, and the best course of action is to implement proper isolation of Sandbox. Between your network and your analysis machine, there should be no connectivity.
This on its own causes some issues as there will be no more access to the internet to download new analysis tools. Well, we can use a 4G dongle or have a separate internet connection from your ISP specific to this environment. This can be used for tools but also to access available open-source intelligence to validate some of the indicators discovered during analysis. The second issue that we might run into is getting samples collected from machines that aren’t connected to the network. An easy alternative to this is to use a USB key to transfer malicious artifacts. The important thing to remember is that you may use this only to get files from the network, which is considered a trusted zone, into the analysis environment, which is an untrusted zone. Moving files in the opposite direction might spread computer virus infections to the wider network. Therefore, it’s not recommended. Finally, we can deploy your virtualized environment on your network-isolated analysis machine.
Building up a virtual environment for each analysis can become a tedious task. This can consume a lot of time in repetitive tasks. Well, there is a solution for this. It’s called snapshotting. We can set up a new machine with all your analysis tools and then take a snapshot of it. This will store all your settings and tools that we have configured after the OS installation. Now, every time we want to start analyzing computer viruses, we can use this snapshot as your starting point.
This way, analysis can begin straight away, and we don’t waste time with repetitive tasks. Another benefit of snapshotting is that it can also be used during the analysis if you want to see the current state of the computer infection so we can roll back to it and test the different scenarios. In some cases, we might need new tools or scripts, and we want them to be part of your existing workflow. Upgrading starts with an old snapshot of your analysis VM, after which we will install all your new tools and scripts. The final step is to create a new snapshot, and this will become your new restore point when starting an investigation.
Safe Handling Of Malicious Artifacts Outside Of Isolated Environment
Now that we have all the details on setting up an analysis environment dedicated to dissecting computer viruses, it’s time to go over some safe handling procedures. During an investigation, we might have to deal with malicious artifacts outside your isolated environment. The goal is to avoid accidental execution. You must be well aware of these procedures as we might have to instruct others to perform collection in a situation is where we cannot.
Change The File Extension:
Our first recommendation to avoid accidental execution is to change the extension of the files. This works on all Windows operating systems, and it’s targeted towards executables and self-extracting archives. This has to do with the way Windows handles files based on their extension. A good example is to change the. exe extension to. data or any other that is not recognized by Windows to be something that can be executed. After this, the file will not run when clicking on it.
Example: malware.exe to malware.data
Make URLs, Domains, And IP Addresses Inaccessible.
Second on the list, and really important, are malicious URLs. By default, most of the programs that we work with on a daily basis will try to make the URLs accessible, and when clicking on them it will launch a browser and access the link automatically. In some cases, this might download the malicious file or trigger a web-based exploit, and we don’t want that.
We can change the HTTP to hxxp. This is one method to make sure the URL will be modified, and the site will not be accessed when clicking on the link.
Second, we can use some square brackets around the dot in the domain. Even if we accidentally click on the link, it will not register a request to the malicious website. This method also works on IP addresses.
Example: hxxp://malware[.]com, 192[.]168[.]10[.]150
Making these small changes to the common parts of the URL will help us preserve the actual addresses to be used as indicators later on. These are only some of the important safeguards. This is the best way to protect your environment from accidents during analysis.