Configuring Virtualbox for malware testing

  • Malware


Hi,

To test malware, it is recommended to use a virtual machine. In order to prevent malicious programs from being studied, malware vendors can implement features to detect whether the program is running in a VM or not. In order to "blur tracks", it is necessary:

  • do not install the drivers specific to guest additions
  • do not leave the default values for disk size
  • do not leave the default values for the number of CPUs
  • change the MAC address
  • use an anti-virus (since real machines usually have an anti-virus, you need to add an AV and possibly make a rule to run the test malware unhindered)

For the rest of the hardware, I use a bash script that generates a configuration file with the host machine information. You have to run this file with the Root user and then use the generated file with a user with restricted rights.

 

 

#!/bin/bash

biosVendor=`dmidecode --string bios-vendor`
biosVersion=`dmidecode --string bios-version`
biosReleaseDate=`dmidecode --string bios-release-date`
sysManufacturer=`dmidecode --string system-manufacturer`
sysProductName=`dmidecode --string system-product-name`
sysVersion=`dmidecode --string system-version`
sysSerial=`dmidecode --string system-serial-number | cut -c 1-20`
sysUUID=`dmidecode --string system-uuid`
sysFamily=`dmidecode --string system-family`
sysSKU="To be filled by O.E.M."
discSerial=`udevadm info --query=all --name=/dev/sda | grep ID_SERIAL_SHORT | head -n1 | cut -d "=" -f2`
discModel=`udevadm info --query=all --name=/dev/sda | grep ID_MODEL | head -n1 | cut -d "=" -f2`
discFirmware=`udevadm info --query=all --name=/dev/sda | grep ID_REVISION | head -n1 | cut -d "=" -f2`

cat << EOF > vm_ghost_config
#!/bin/bash


# Enter the name of the VM
VM_NAME="Nom de la VM"
# Enter the MAC address
MAC_ADDRESS="08002710B8D0"
# Enter the number of CPU
NBR_CPU=2

biosVendor="$biosVendor"
biosVersion="$biosVersion"
biosReleaseDate="$biosReleaseDate"
sysManufacturer="$sysManufacturer"
sysProductName="$sysProductName"
sysVersion="$sysVersion"
sysUUID="$sysUUID"
sysSerial="$sysSerial"
sysFamily="$sysFamily"
sysSKU="$sysSKU"
discSerial="$discSerial"
discModel="$discModel"
discFirmware="$discFirmware"

if [[ -z "\$VM_NAME" ]]  || \\
   [[ -z "\$biosVendor" ]] || \\
   [[ -z "\$biosVersion" ]] || \\
   [[ -z "\$sysProductName" ]] || \\
   [[ -z "\$biosReleaseDate" ]] || \\
   [[ -z "\$sysManufacturer" ]] || \\
   [[ -z "\$sysVersion" ]] || \\
   [[ -z "\$sysFamily" ]] || \\
   [[ -z "\$sysSerial" ]] || \\
   [[ -z "\$sysUUID" ]] || \\
   [[ -z "\$sysSKU" ]] || \\
   [[ -z "\$discSerial" ]] || \\
   [[ -z "\$discModel" ]] || \\
   [[ -z "\$discFirmware" ]] || \\
   [[ -z "\$NBR_CPU" ]] || \\
   [[ -z "\$MAC_ADDRESS" ]]; then
  echo 'one or more variables are undefined'
  exit 1
fi

VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor" "string:\$biosVendor"
VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVersion" "string:\$biosVersion"
VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseDate" "string:\$biosReleaseDate"
VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMajor" "4"
VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMinor" "2"
VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMajor" "4"
VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMinor" "2"
VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVendor" "string:\$sysManufacturer"
VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemProduct" "string:\$sysProductName"
VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVersion" "string:\$sysVersion"
VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSerial" "string:\$sysSerial"
VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSKU" "string:\$sysSKU"
VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemFamily" "string:\$sysFamily"
VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemUuid" "string:\$sysUUID"
VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/SerialNumber" "string:\$discSerial"
VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/FirmwareRevision" "string:\$discFirmware"
VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/ModelNumber" "string:\$discModel"
VBoxManage modifyvm "\$VM_NAME" --macaddress1 "\$MAC_ADDRESS"
VBoxManage modifyvm "\$VM_NAME" --cpus "\$NBR_CPU"

EOF

chmod a+x vm_ghost_config

The vm_ghost_config file must then be edited and the values of the variables must be adapted:

  • VM_NAME
  • MAC_ADDRESS
  • NBR_CPU

 

If you want a more complete configuration, you will find everything on this page. Most of the information I used comes from this repository.