Virtual Machine Configuration

There are two virtual machines needed to reverse engineer malware in this course: a Linux VM (REMnux) and a Windows VM.

Warning: The free VMWare Workstation Player (for Windows) is NOT sufficient for this class due to two annoying limitations:

  1. It will only run a single virtual machine at a time, but we need multiple VMs running simultaneously and communicating with each other.
  2. It is not able to take snapshots of virtual machines.

Paid VMware products (Workstation Pro, Fusion) do not have this limitation.

Linux VM Configuration

Download and configure a Remnux Linux virtual machine to safely contain your Windows malware samples in.

Some tools have been added to REMnux after the virtual machine image was released. To update your copy to the latest version, run:

$ update-remnux
# And go get a cup of coffee as the whole OS is updated.

For security, disable IP Forwarding as a default setting. REMnux automatically launches Docker at startup, which provides the option of running additional Dockerized applications not easily installed in the base distribution. While a nice feature for power users, launching Docker automatically at boot has one side effect we want to avoid - it configures Linux to enable IP Forwarding and turns the OS into a router. This is necessary for the Docker apps to have network access, but potentially dangerous when we are using REMnux to examine malware network traffic. Far safer to have IP forwarding disabled by default (the normal Linux setting), and only enable it at run-time when we specifically want it.

service docker status   # Should see that Docker has been started / running
service docker stop     # Will stop Docker, but only this time

# To disable Docker from automatically starting in the future,
# create a file /etc/init/docker.override with the word "manual" in it
sudo su -c "echo manual >> /etc/init/docker.override"

# Restart REMnux to see if setting takes effect
sudo reboot

# Testing results - Is IP forwarding disabled?
sudo sysctl net.ipv4_ip_forward     # Should be 0! (OFF)

VirtualBox-specific setup instructions:

If you are using VirtualBox, you will have better integration with your host system if you run the following commands to install the host tools inside of Remnux:

$ sudo apt-get update
$ sudo apt-get install virtualbox-guest-x11
$ sudo reboot
# Now you should be able to resize your window...

Virtualbox Clipboard Settings In addition, for VirtualBox, ensure that file Drag and Drop and Clipboard integration is enabled. Go to Settings for your REMnux VM, select General->Advanced, and ensure both "Shared Clipboard" and "Drag'n'Drop" are set to "Bidirectional" instead of their default setting of "Disabled".

VMware-specific setup instructions:

If you are using VMware, you will have better integration with your host system if you run the following commands to install the host tools inside of Remnux:

$ sudo apt-get update
$ sudo apt-get install open-vm-tools-desktop
$ sudo reboot

Windows VM Configuration

From instructions that were provided in class, download a Windows virtual machine that comes pre-installed with a copy of all the necessary analysis tools for this course.

VirtualBox-specific setup instructions:

  1. If running VirtualBox on Linux (as opposed to Windows or Mac), go to Settings->System->Acceleration->Paravirtualization Interface and change it from "default" to "KVM". Otherwise, your VM will run at 100% CPU usage and make minimal progress booting.

  2. Ensure that your virtual machine type is set to Windows and the version is set to Windows 10 (64-bit). Otherwise, you may get an error from the Windows boot loader complaining that you don't have a 64-bit processor.

VirtualBox Set Network NIC

  1. Tell VirtualBox to export one of the Intel Pro/1000 MT NIC types as the Ethernet card to the Windows VM guest. The default PCnet-FAST III will not work - there is no driver pre-installed under Windows. Shut down your Windows VM, and then click on Settings->Network->Advanced (toggle)->Adapter Type to modify this setting.

  2. Install the VirtualBox Guest Additions for better host/guest integration, such as resizing and scaling your display. Go to Settings->Storage and click the "Add Optical Drive" button (CD with a plus icon). Then, boot your Windows VM. Use the "Insert Guest Additions CD image" menu option in VirtualBox after your VM is running, and you should see a virtual CD drive appear in Windows and prompt you to install the software. If this doesn't work, you could manually download the VBoxGuestAdditions_X.X.X.iso from http://download.virtualbox.org/virtualbox/6.1.0/ and open the ISO to find the Windows installer within. (Note: Version 6.1.0 is current as-of Dec 2019).

VMware-specific setup instructions:

No additional VMware configuration is required.

SNAPSHOT SNAPSHOT SNAPSHOT!
Before proceeding further, take a snapshot of your fresh, non-infected Windows virtual machine and give it a clear label so that you can restore it later when needed.

Networking Configuration

In order to enable network communication between virtual machines, VirtualBox requires additional configuration.

VirtualBox-specific setup instructions:

VirtualBox NAT Network Configuration 1In VirtualBox, you want to use the "NAT Network" mode of operation, not the "NAT" mode of operation.

Create a new shared network that can be used by all or some of your virtual machines. Go to File->Preferences->Network and click the "plus" icon to add a new NAT Network. The default network name of "NatNetwork" is fine. If you click the "gear" icon, you can see the details for this new network, including its "CIDR" (Classless InterDomain Routing, i.e. the subnet) and other settings. The default options (a subnet of 10.0.2.0/24 with DHCP enabled) is fine. OK out of all the Preferences windows.

VirtualBox NAT Network Configuration 2Assign each virtual machine to use this new shared NAT network. For each VM, go to Settings->Network, and for Adaptor 1 (the only one in use), change the "Attached to" setting from the default of "NAT" to the new "NAT Network". For the "Name" field directly below, ensure the name of your new network (e.g. "NatNetwork") is selected. OK out of all Preferences windows.

VMWare-specific setup instructions:

No additional VMWare configuration is required.