Courses COMP 272 Resources Virtual Machine Configuration

Virtual Machine Configuration

Virtualization Setup

To prepare for the virtualization labs, you will need to install a virtual machine manager onto your computer.

Enable Virtualization Extensions

In order for your computer to properly run guest operating systems with reasonable performance, some hardware features of your CPU need to be enabled. For Intel processors, these features are called "VT-X", and for AMD processors, they are called AMD-V. It's hit or miss whether these features are enabled by default on consumer computers - in prior classes about 25% of students had to enable them manually.

If you have a Mac: Congratulations, any modern Intel-based Mac should already have VT-x enabled. If you wish to verify this out of an abundance of caution, launch the Terminal app and run the following command, and look for VMX in the output:

$ sysctl -a | grep machdep.cpu.features

If you have a Windows 10 PC: Run the Task Manager program. In the Performance tab, look for a line labeled "Virtualization", and confirm that it says enabled. Look here for an example of the desired output along with some alternate methods of confirming CPU virtualization extensions are enabled.

If virtualization extensions are not enabled, you will need to enable them before continuing. The location of the specific button is not in Windows, however. It's buried deep in the BIOS or UEFI software that runs immediately after your computer is powered on, before Windows even starts. The step-by-step process to enable this option is unfortunately very computer dependent. Typically the process involves restarting your computer and immediately starting to repeatedly press the F2 key. Or F10. Or DEL. The correct key varies by vendor. You might see a quick message "Press <some key> to enter Setup" flash very briefly on the screen. Or, you might need to do a search for "Access BIOS" followed by your specific computer make and model. Once you are in the BIOS, you can navigate using the arrow keys (or newer UEFI systems allow you to use the mouse). Navigate through the settings looking for a "Virtualization Extensions" (or similar) option that you can change from Disabled to Enabled. If you can't find anything, you might need to search for instructions for your specific model of computer. Save the BIOS settings (via the keyboard shortcut listed at the bottom of the screen), let the computer reboot, and then check if Windows says that Virtualization is enabled now.

Choose a Virtual Machine Manager

First, download the appropriate software for your computer. You have a few choices here:

Paid products - RECOMMENDED CHOICE
- Windows or Linux: VMware Workstation Pro
  - As of January 2022, the latest version is 16.x and Pacific has a FREE ACADEMIC LICENSE
- Mac: VMware Fusion
  - As of January 2022, the latest version is 12.x and Pacific has a FREE ACADEMIC LICENSE
Free products
- Windows, Mac, or Linux: VirtualBox
Warning: The free VMware Player products are NOT sufficient for this class due to the annoying limitation that they will only run a single virtual machine at a time, but we need multiple VMs running simultaneously and communicating with each other. Furthermore, the Player products do not support taking snapshots of virtual machines, a feature that can sometimes be essential. Paid VMware products (Workstation Pro and Fusion) do not have these limitations.

Second, install it! (Accepting the default options is generally reasonable)

Third, run its own internal "Check for Updates" feature to ensure you have all the latest bugfixes and security fixes!

Virualization Setup FAQs

Which is better - VMware or VirtualBox?

In previous classes, the VMware products typically work more smoothly out of the box. But, the free VirtualBox product can always be setup correctly, it just might take some additional effort. Both are supported methods in this course.

I have an older software version than what is listed above - can I use it?

Using an older virtual machine manger is highly discouraged. These are complex programs that are regularly updated to (a) improve compatibility with their host operating systems, (b) improve compatibility with the guest/virtual operating systems being created, and (c) fix security vulnerabilities that would allow a malicious guest OS to break out into the host OS. These should all be important to you as security professionals, particularly the point about vulnerabilities! Update your virtual machine manager regularly, even if it means giving VMware more money...

Virtual Machines for COMP 272

There are two virtual machines needed to reverse engineer malware in this course: a REMnux Linux VM and a Windows VM.

REMnux 7.0 (Linux)

Download and configure a Remnux 7.0 Linux virtual machine to safely contain your Windows malware samples in. The easiest installation method is to download the "Virtual Appliance File". This OVA ("Open Virtual Appliance") is disk image containing the software pre-installed, and ready to be imported into your virtualization software.

After importing the OVA image, launch your new Remnux VM, and ensure that it is updated to the latest version:

$ remnux upgrade
# And go eat dinner as the whole OS is updated...

For security, disable IP Forwarding as a default setting. REMnux automatically launches Docker at startup, which provides the option of running additional Dockerized applications not easily installed in the base distribution. While a nice feature for power users, launching Docker automatically at boot has one side effect we want to avoid - it configures Linux to enable IP Forwarding and turns the OS into a router. This is necessary for the Docker apps to have network access, but potentially dangerous when we are using REMnux to examine malware network traffic. Far safer to have IP forwarding disabled by default (the normal Linux setting), and only enable it at run-time when we specifically want it.

# Testing results - Is IP forwarding disabled?
sysctl net.ipv4.ip_forward     # Should be 0! (OFF)

# If it is 1 (ON), continue to disable docker:
systemctl status docker   # Should see that Docker has been started / running
systemctl stop docker    # Will stop Docker, but only this time

# To disable Docker from automatically starting in the future,
# create a file /etc/init/docker.override with the word "manual" in it
sudo su -c "echo manual >> /etc/init/docker.override"

# Restart REMnux to see if setting takes effect
sudo reboot

# Testing results - Is IP forwarding disabled?
sysctl net.ipv4.ip_forward     # Should be 0! (OFF)

VirtualBox-specific setup instructions:

If you are using VirtualBox, you will have better integration with your host system if you run the following commands to install the host tools inside of Remnux:

$ sudo apt-get update
$ sudo apt-get install virtualbox-guest-x11
$ sudo reboot
# Now you should be able to resize your window...

In addition, for VirtualBox, ensure that file Drag and Drop and Clipboard integration is enabled. Go to Settings for your REMnux VM, select General->Advanced, and ensure both "Shared Clipboard" and "Drag'n'Drop" are set to "Bidirectional" instead of their default setting of "Disabled".

VMware-specific setup instructions:

If you are using VMware, you will have better integration with your host system if you run the following commands to install the host tools inside of Remnux:

$ sudo apt-get update
$ sudo apt-get install open-vm-tools-desktop
$ sudo reboot

Windows 10 VM Configuration

From instructions that were provided in class, download a Windows virtual machine that comes pre-installed with a copy of all the necessary analysis tools for this course.

VirtualBox-specific setup instructions:

If running VirtualBox on Linux (as opposed to Windows or Mac), go to Settings->System->Acceleration->Paravirtualization Interface and change it from "default" to "KVM". Otherwise, your VM will run at 100% CPU usage and make minimal progress booting.
Ensure that your virtual machine type is set to Windows and the version is set to Windows 10 (64-bit). Otherwise, you may get an error from the Windows boot loader complaining that you don't have a 64-bit processor.

Tell VirtualBox to export one of the Intel Pro/1000 MT NIC types as the Ethernet card to the Windows VM guest. The default PCnet-FAST III will not work - there is no driver pre-installed under Windows. Shut down your Windows VM, and then click on Settings->Network->Advanced (toggle)->Adapter Type to modify this setting.
Install the VirtualBox Guest Additions for better host/guest integration, such as resizing and scaling your display. Go to Settings->Storage and click the "Add Optical Drive" button (CD with a plus icon). Then, boot your Windows VM. Use the "Insert Guest Additions CD image" menu option in VirtualBox after your VM is running, and you should see a virtual CD drive appear in Windows and prompt you to install the software. If this doesn't work, you could manually download the VBoxGuestAdditions_X.X.X.iso from http://download.virtualbox.org/virtualbox/6.1.30/ and open the ISO to find the Windows installer within. (Note: Version 6.1.30 is current as-of Jan 2020).

VMware-specific setup instructions:

No additional VMware configuration is required.

SNAPSHOT SNAPSHOT SNAPSHOT!
Before proceeding further, take a snapshot of your fresh, non-infected Windows virtual machine and give it a clear label so that you can restore it later when needed.

Networking Configuration

In order to enable network communication between virtual machines, VirtualBox requires additional configuration.

VirtualBox-specific setup instructions:

In VirtualBox, you want to use the "NAT Network" mode of operation, not the "NAT" mode of operation.

Create a new shared network that can be used by all or some of your virtual machines. Go to File->Preferences->Network and click the "plus" icon to add a new NAT Network. The default network name of "NatNetwork" is fine. If you click the "gear" icon, you can see the details for this new network, including its "CIDR" (Classless InterDomain Routing, i.e. the subnet) and other settings. The default options (a subnet of 10.0.2.0/24 with DHCP enabled) is fine. OK out of all the Preferences windows.

Assign each virtual machine to use this new shared NAT network. For each VM, go to Settings->Network, and for Adaptor 1 (the only one in use), change the "Attached to" setting from the default of "NAT" to the new "NAT Network". For the "Name" field directly below, ensure the name of your new network (e.g. "NatNetwork") is selected. OK out of all Preferences windows.

VMWare-specific setup instructions:

No additional VMWare configuration is required.