Configuring Virtualbox for malware testing

Malware

Hi,

To test malware, it is recommended to use a virtual machine. In order to prevent malicious programs from being studied, malware vendors can implement features to detect whether the program is running in a VM or not. In order to "blur tracks", it is necessary:

do not install the drivers specific to guest additions
do not leave the default values for disk size
do not leave the default values for the number of CPUs
change the MAC address
use an anti-virus (since real machines usually have an anti-virus, you need to add an AV and possibly make a rule to run the test malware unhindered)

For the rest of the hardware, I use a bash script that generates a configuration file with the host machine information. You have to run this file with the Root user and then use the generated file with a user with restricted rights.

#!/bin/bash

biosVendor=`dmidecode --string bios-vendor`
biosVersion=`dmidecode --string bios-version`
biosReleaseDate=`dmidecode --string bios-release-date`
sysManufacturer=`dmidecode --string system-manufacturer`
sysProductName=`dmidecode --string system-product-name`
sysVersion=`dmidecode --string system-version`
sysSerial=`dmidecode --string system-serial-number | cut -c 1-20`
sysUUID=`dmidecode --string system-uuid`
sysFamily=`dmidecode --string system-family`
sysSKU="To be filled by O.E.M."
discSerial=`udevadm info --query=all --name=/dev/sda | grep ID_SERIAL_SHORT | head -n1 | cut -d "=" -f2`
discModel=`udevadm info --query=all --name=/dev/sda | grep ID_MODEL | head -n1 | cut -d "=" -f2`
discFirmware=`udevadm info --query=all --name=/dev/sda | grep ID_REVISION | head -n1 | cut -d "=" -f2`

cat << EOF > vm_ghost_config
#!/bin/bash


# Enter the name of the VM
VM_NAME="Nom de la VM"
# Enter the MAC address
MAC_ADDRESS="08002710B8D0"
# Enter the number of CPU
NBR_CPU=2

biosVendor="$biosVendor"
biosVersion="$biosVersion"
biosReleaseDate="$biosReleaseDate"
sysManufacturer="$sysManufacturer"
sysProductName="$sysProductName"
sysVersion="$sysVersion"
sysUUID="$sysUUID"
sysSerial="$sysSerial"
sysFamily="$sysFamily"
sysSKU="$sysSKU"
discSerial="$discSerial"
discModel="$discModel"
discFirmware="$discFirmware"

if [[ -z "\$VM_NAME" ]]  || \\
   [[ -z "\$biosVendor" ]] || \\
   [[ -z "\$biosVersion" ]] || \\
   [[ -z "\$sysProductName" ]] || \\
   [[ -z "\$biosReleaseDate" ]] || \\
   [[ -z "\$sysManufacturer" ]] || \\
   [[ -z "\$sysVersion" ]] || \\
   [[ -z "\$sysFamily" ]] || \\
   [[ -z "\$sysSerial" ]] || \\
   [[ -z "\$sysUUID" ]] || \\
   [[ -z "\$sysSKU" ]] || \\
   [[ -z "\$discSerial" ]] || \\
   [[ -z "\$discModel" ]] || \\
   [[ -z "\$discFirmware" ]] || \\
   [[ -z "\$NBR_CPU" ]] || \\
   [[ -z "\$MAC_ADDRESS" ]]; then
  echo 'one or more variables are undefined'
  exit 1
fi

VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor" "string:\$biosVendor"
VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVersion" "string:\$biosVersion"
VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseDate" "string:\$biosReleaseDate"
VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMajor" "4"
VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMinor" "2"
VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMajor" "4"
VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMinor" "2"
VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVendor" "string:\$sysManufacturer"
VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemProduct" "string:\$sysProductName"
VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVersion" "string:\$sysVersion"
VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSerial" "string:\$sysSerial"
VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSKU" "string:\$sysSKU"
VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemFamily" "string:\$sysFamily"
VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemUuid" "string:\$sysUUID"
VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/SerialNumber" "string:\$discSerial"
VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/FirmwareRevision" "string:\$discFirmware"
VBoxManage setextradata "\$VM_NAME" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/ModelNumber" "string:\$discModel"
VBoxManage modifyvm "\$VM_NAME" --macaddress1 "\$MAC_ADDRESS"
VBoxManage modifyvm "\$VM_NAME" --cpus "\$NBR_CPU"

EOF

chmod a+x vm_ghost_config

The vm_ghost_config file must then be edited and the values of the variables must be adapted:

VM_NAME
MAC_ADDRESS
NBR_CPU

If you want a more complete configuration, you will find everything on this page. Most of the information I used comes from this repository.