Practical Malware analysis tutorial - Part 0 - Analysis VM setup

It is essential to have an isolated machine when analyzing malicious samples, so as not to infect our own networks or systems.

The VM setup that I find very useful is a Windows 7 + Flare VM environment running on VirtualBox.

FlareVM is a great customizable VM environment from FireEye which includes lot of tools that are useful in Malware analysis and reverse engineering. I'll try to write about the tools as and when their use arises.

You can find FlareVM here:  https://github.com/fireeye/flare-vm

Network:

Configuring network options correctly is essential as ideally malicious samples should not be allowed to make network connections to external hosts because this might result in compromise of other assets in our network.

VirtualBox offers various network options that can be configured. I'll describe some useful configurations here:

• NAT connection: This configuration is useful only when you need Internet access for the VM. It is not recommended to use this configuration when a malware sample is live on the VM. Only use this on a fresh snapshot of the VM when you need Internet access to install any software/tool or to update the VM.
• Internal network: This configures all VMs to function as if they are in a local network. No Internet access will be allowed in this option.
• Bridged Adapter: This configures the VM to act as if it is a new device in the Host network. Never use this configuration because the malware will have direct access to the Host network.

Shared Folders:

Sometimes you'll find the need to share files between your Host machine and the analysis machine. VirtualBox provides a Shared Folders feature which you can enable to have some folders shared between Host and Guest machines. But be sure to never give Read/Write access to a folder which you access routinely on the Host machine. It is always better to create a new folder on a separate drive and give Read/Write access to only it.