Since I am a newbie here, please accept my apologies if this has been covered already or is
not in the proper forum.
I am looking to set up a number of VMwares where each will run a different A/V like Kaspersky or
Bitdefender or ClamAV. But I will not be asking the VM to run the A/V engine on the injected malware but
rather I want to "run" (execute) the malware in this VM sandbox and see what the A/V engine says has happened.
I would run 5 VMs in parallel, each with its own A/V engine and inject the malware and let it execute and would want
to extract the A/V logs to see what "bad" has happened. All automated via a CLI.
Has anyone done something similar? What API would I need? Which VMware platform should I be focusing on
to accomplish this? Any suggestions and ideas welcome.
Thanks!
You probably want to have isolated VMs if you want to test malware inside of them.
That means you should not install vmware-tools - which means you also block existing apis from running correctly.
Looks like you need some custom fiddling with batchs and / or autoit
Ok, first off you're going about it the wrong way. Yes you should have multiple VMs with different A/V running to scan the file and see if any detect it. If you want to see what happens you're going to have to make a VM that's designed to run malware and have it on a private network with a linux host with some tools installed like netcat, ircd, etc.
The standard run for Malware behavioral analysis is to run it in the target VM with Wireshark, ProcMon, and ProcExp running. ProcMon is good about catching and registry writes and files dropped up to the point where a kernel level rootkit takes over and then it's blind, but you can at least see whats going on up to that point using filters for 'WriteFile' and 'RegSetValue'. Make SURE the log is writing out to disk as a lot of newer malware has VM detection and they sometimes do some nasty stuff like eating the VM instead of their normal behavior. You need to find other VM software that have similar images so if it detects one you can switch to others.
Now for those a bit more skilled we do static analysis using something like IDA pro or OLLYDBG so we can look at the file in assembly and see what it does.
www.virustotal.com is a nice service that you can just submit a file to and it will be run through quite a few AV engines and give you the result. It saves you the time from setting up an AV gauntlet and keeping it up to date.
Oh and the last note that if you're serious about doing malware reseach make sure your machine is running Linux as the host OS. I've seen accidental runs on hosts and it's never pretty as with some of the nastier combo type malware you just have to wipe your machine and reinstall from scratch to ever be able to trust it again.
As for what VMware to use I'd say workstation hands down. The multiple snapshots are very nice as you can have a single image with different states of patching/etc.
Can I ask why you state "That means you should not install vmware-tools - which means you also block existing apis from running correctly."?
Why not install vmware-tools?
Thanks. I already have a virustotal-like system running in-house. But that just takes the malware and runs it
against a bunch of A/Vs to see if any of them detect a signature.
But unfortunately no Linux. Must be Windows based. I'll go with VMware workstation as you recommended
as well as Wireshark, Procmon and Procexp.
But I am still looking for more info about running the VMware session and injecting the malware to start executing.
I have read the 500 page VMware workstation User Manual but cannot find any reference on how to work in command
line mode to get the VM started, and then have certain programs startup as per my CLI (like Procmon) and then have
malware-x start running and when finished to do steps A, B and C and then shu back down. Any hits?