Thursday, August 23, 2012

Modifying VirtualBox settings for malware analysis

If you are using VirtualBox for malware analysis,  either with a sandbox like Cuckoo or stand alone. You probably would like to be able to run modern malware even those samples that are VM aware.

Here are a few tips to make your VirtualBox guest somewhat harder to detect.

First run dmidecode on your host (I assume it's a Linux based one, but this can be performed on other OSes as well)

#dmidecode -t0
#dmidecode -t1

You will get an output that looks something like this:

BIOS Information
  •     Vendor: <vendor>
  •     Version: <BIOS version>
  •     Release Date: <BIOS date>
System Information
  •     Manufacturer: <vendor>
  •     Product Name: <product>
  •     Version: <hw "version">
  •     Serial Number: <S/N>
  •     UUID: <UUID>
  •     Wake-up Type: Power Switch
  •     SKU Number: Not Specified
  •     Family: <"hw "version">
To make it easier to apply these settings on several guest's, create a script that
contains the following commands:
(Populate the values with information from the Dmidecode output above)

VBoxManage setextradata  "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor"        "<vendor>"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVersion"       "<BIOS version>"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseDate"   "<BIOS date"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMajor"  <value from BIOS date>
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMinor"  <value from BIOS date>
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMajor" <value from BIOS date>
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMinor" <value from BIOS date>
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVendor"      "<vendor>"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemProduct"     "<product>"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVersion"     "<product>"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSerial"      "<S/N>"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSKU"         "Not Specified"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemFamily"      "<"hw version">"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemUuid"     "<UUID>"


Also:
  • Change MAC address:     
 VBoxManage modifyvm "<vm name>" --macaddressX <MAC>
  •  Change disk settings:
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/SerialNumber"  "<serial>"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/FirmwareRevision" "<firmware>"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/ModelNumber" "<model>"

  • Detach CDROM (or change settings for the CD-ROM)
  • Don't install vbox tools! 
Use:" VBoxManage getextradata "<vm name>"  enumerate " to review your settings.

/Micke

Update1:

Untested but might be useful..
VBoxManage setextradata "VM name" "VBoxInternal/TM/TSCTiedToExecution" 1


8 comments:

  1. Good info, but you are missing some parameters:

    http://www.virtualbox.org/manual/ch09.html#changedmi

    ReplyDelete
    Replies
    1. Hi you are correct. I have not updated the blog post in a while. Which I might have to do. The missing settings I guess were added in newer version. It seems like as time progress more values are being able populate from the host to the guest which is great. Thanks for you comment!

      Delete
  2. Hello Mikael,

    I have tried the changes but the virtual machine seems no to get them even been correctly applied, checked with enumerate.

    Any idea?

    The vm is a windows xp sp3.

    Thanks for your time

    ReplyDelete
    Replies
    1. Hi Janus,

      Sorry for my late reply. Which version of VBox are you using?

      Delete
    2. I am having the same issue. Ubuntu 13.04 host running Windows XP SP2 inside of VirtualBox 4.2.10. I run the setextradata command to change the vendor and version for DMI Type 0, and when I run dmidecode in the XP guest, the BIOS info still shows innotek GmbH and VirtualBox for the vendor and version.

      Delete
    3. Hi,
      I will post an update regarding how to modify VBox, give me a few days to finish it. The setup is the same as the one you describe so hopefully your issue will be resolved.
      Otherwise please let me know!

      /Micke

      Delete
  3. Thnx for a nice tutorial (and all over top notch blog entries)!

    //B. September

    ReplyDelete