2

I'm starting out in Malware Research / Malware Analysis. I am reading a book called "Practical Guide to Malware Analysis," which touches this in the 2nd chapter, before approaching Dynamical Analysis (malware detonation). However, it mentions 2 options for Virtualization approach:

  1. Set Network Adapter to Host-Only. That way it should isolate VM from Network, but still have access to it via Host - not sure how that works though.

  2. A multi-VM setup where one VM is set for Services and the other for Analysis, and both are joined to the same Custom VMNet.

My problem is that there are no step-by-step instructions on how to do this. I am hoping to get answers here. My most curious question is: Is setting Network Adapter to Host-Only the only thing to do to isolate the VM for Malware Analysis?

Many sites that I Googled mention just this (and also taking snapshots, etc.). Thanks.

freginold
  • 165
  • 6
REbegin
  • 21
  • 2

2 Answers2

2

Setting the network adapter to host-only does not truly isolate the malware. The malware could spread to your host over the host-only network, and then it can spread from your host to the rest of the network or to the internet. (This assumes that your host has regular network connectivity, as is often the case.) This is not recommended, and I'm surprised they suggested it in the first place.

You should avoid giving the malware any means of spreading to your regular internal network or the internet.

The creation of a custom network (or VLAN) is ideal. Most hypervisors will allow you to map directories/folders between your host and a guest, so you can transfer files in and out that way. You create two VMs: one "test" VM to execute to the payload, and one "tools" VM to run analysis tools and transfer data.

The "test" VM can be as insecure as you like---and it may need to be fairly insecure for some payloads to work. The "tools" VM should be relatively hardened; some people prefer it to be a different OS than the "test" VM as well.

DoubleD
  • 3,862
  • 1
  • 6
  • 14
  • Any links on how to create a custom Network on VMWare? – REbegin Sep 10 '19 at 20:21
  • Plugging a few things into Google didn't work, so, briefly: You edit the VM hardware and set the NIC to a custom network. When you do this, you will have to choose a name for the network. Any VMs with NICs on that same custom network will have connectivity to each other, assuming the guest IP settings are consistent. The network names vmnet0, vmnet1, and vmnet8 are reserved by VMware for their bridged, host-only, and NAT networks. – DoubleD Sep 10 '19 at 20:58
1

FlareVM is a good starting point.

Also make sure you make your harden Virtualbox in order to prevent Malware from detecting that it's being ran on a sandboxed environment.

Here's a good starting point:

You can also setup a fake network, so that malware would take actions as it would on a real network, without actually exposing it publicly.

Here's a good starting point:

Raimonds Liepiņš
  • 994
  • 5
  • 9
  • To my understanding.. Flare VM only offers you nice tools in the package. This is not my requirement at the moment. First step is to safely execute Malware on VM and this is what I am trying to get answer for. – REbegin Sep 10 '19 at 20:24
  • @REbegin Add internal network in Virtuablox and setup fakenet – Raimonds Liepiņš Sep 11 '19 at 07:42