Due to my renewed interest in malware analysis, I’ve built a virtual machine lab at home. My newest desktop system runs an AMD Phenom II 6-core processor with 16GB of RAM and Ubuntu Linux 10.10 (for now), so it does a great job as a host for all the little systems where I can perform analyses and sacrifices.
I chose to use VirtualBox over VMware Player primarily because it allows me to use multiple snapshots with a system without having to pay anything. Also, I hadn’t used it before this project, which meant something else new I could learn.
Right now, I have the following VMs loaded in the lab:
- OpenBSD: As discussed recently, I wanted to experience again all the love, hate,
sex,and pain from my old days. Actually, this system hasn’t gotten used in any “production” sense, but I hope that changes soon-ish.
- REMnux: A Linux distribution dedicated to reverse engineering malware, REMnux has lots of great tools pre-configured for use in a project. I’ve only started to scratch the surface of what it can do, but already the default install of inetsim (with some extremely minor configuration tweaks) came in handy during a recent analysis for my day job.
- SIFT: Like REMnux, I view the SANS Investigative Forensic Toolkit as a sine qua non for any forensic analyst’s toolbox. It has a great setup for The Sleuth Kit and Autopsy Browser and lots of other tools available.
- Windows 7: I primarily use this as a sacrificial goat when analyzing malware. I’ve done nothing to it past the default install and operating system updates. I did, however, run md5deep on it, so that I have a complete hash set of known good files. That seems like a good project to make available publicly, but I’d like to put some thought into how I should do it.
- Windows XP: Actually, I keep two trees of this system. One functions precisely like the Windows 7 install, albeit with Firefox installed, something I should probably remedy. I have the md5deep output for it as well. The other serves as a test bed for debugging and any analysis tasks that require access to Windows. Right now, I’ve built it according to Gray Hat Python but I will likely add to it as time progresses.
In the next couple of weeks, I’ll build something similar at work but applying the lessons I’ve learned here. Those lessons, however, will have to wait for another post, because I haven’t figured them all out yet.