Configuring Virtualbox for malware testing
- Malware
Hi,
To test malware, it is recommended to use a virtual machine. In order to prevent malicious programs from being studied, malware vendors can implement features to detect whether the program is running in a VM or not. In order to "blur tracks", it is necessary:
- do not install the drivers specific to guest additions
- do not leave the default values for disk size
- do not leave the default values for the number of CPUs
- change the MAC address
- use an anti-virus (since real machines usually have an anti-virus, you need to add an AV and possibly make a rule to run the test malware unhindered)
For the rest of the hardware, I use a bash script that generates a configuration file with the host machine information. You have to run this file with the Root user and then use the generated file with a user with restricted rights.
#!/bin/bash biosVendor=`dmidecode --string bios-vendor` biosVersion=`dmidecode --string bios-version` biosReleaseDate=`dmidecode --string bios-release-date` sysManufacturer=`dmidecode --string system-manufacturer` sysProductName=`dmidecode --string system-product-name` sysVersion=`dmidecode --string system-version` sysSerial=`dmidecode --string system-serial-number | cut -c 1-20` sysUUID=`dmidecode --string system-uuid` sysFamily=`dmidecode --string system-family` sysSKU="To be filled by O.E.M." discSerial=`udevadm info --query=all --name=/dev/sda | grep ID_SERIAL_SHORT | head -n1 | cut -d "=" -f2` discModel=`udevadm info --query=all --name=/dev/sda | grep ID_MODEL | head -n1 | cut -d "=" -f2` discFirmware=`udevadm info --query=all --name=/dev/sda | grep ID_REVISION | head -n1 | cut -d "=" -f2` cat << EOF > vm_ghost_config #!/bin/bash # Enter the name of the VM VM_NAME="Nom de la VM" # Enter the MAC address MAC_ADDRESS="08002710B8D0" # Enter the number of CPU NBR_CPU=2 biosVendor="$biosVendor" biosVersion="$biosVersion" biosReleaseDate="$biosReleaseDate" sysManufacturer="$sysManufacturer" sysProductName="$sysProductName" sysVersion="$sysVersion" sysUUID="$sysUUID" sysSerial="$sysSerial" sysFamily="$sysFamily" sysSKU="$sysSKU" discSerial="$discSerial" discModel="$discModel" discFirmware="$discFirmware" if [[ -z "\$VM_NAME" ]] || \\ [[ -z "\$biosVendor" ]] || \\ [[ -z "\$biosVersion" ]] || \\ [[ -z "\$sysProductName" ]] || \\ [[ -z "\$biosReleaseDate" ]] || \\ [[ -z "\$sysManufacturer" ]] || \\ [[ -z "\$sysVersion" ]] || \\ [[ -z "\$sysFamily" ]] || \\ [[ -z "\$sysSerial" ]] || \\ [[ -z "\$sysUUID" ]] || \\ [[ -z "\$sysSKU" ]] || \\ [[ -z "\$discSerial" ]] || \\ [[ -z "\$discModel" ]] || \\ [[ -z "\$discFirmware" ]] || \\ [[ -z "\$NBR_CPU" ]] || \\ [[ -z "\$MAC_ADDRESS" ]]; then echo 'one or more variables are undefined' exit 1 fi VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor" "string:\$biosVendor" VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVersion" "string:\$biosVersion" VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseDate" "string:\$biosReleaseDate" VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMajor" "4" VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMinor" "2" VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMajor" "4" VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMinor" "2" VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVendor" "string:\$sysManufacturer" VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemProduct" "string:\$sysProductName" VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVersion" "string:\$sysVersion" VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSerial" "string:\$sysSerial" VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSKU" "string:\$sysSKU" VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemFamily" "string:\$sysFamily" VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemUuid" "string:\$sysUUID" VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/SerialNumber" "string:\$discSerial" VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/FirmwareRevision" "string:\$discFirmware" VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/ModelNumber" "string:\$discModel" VBoxManage modifyvm "\$VM_NAME" --macaddress1 "\$MAC_ADDRESS" VBoxManage modifyvm "\$VM_NAME" --cpus "\$NBR_CPU" EOF chmod a+x vm_ghost_config
The vm_ghost_config file must then be edited and the values of the variables must be adapted:
- VM_NAME
- MAC_ADDRESS
- NBR_CPU
If you want a more complete configuration, you will find everything on this page. Most of the information I used comes from this repository.