Thursday, August 23, 2012

Modifying VirtualBox settings for malware analysis

If you are using VirtualBox for malware analysis,  either with a sandbox like Cuckoo or stand alone. You probably would like to be able to run modern malware even those samples that are VM aware.

Here are a few tips to make your VirtualBox guest somewhat harder to detect.

First run dmidecode on your host (I assume it's a Linux based one, but this can be performed on other OSes as well)

#dmidecode -t0
#dmidecode -t1

You will get an output that looks something like this:

BIOS Information
  •     Vendor: <vendor>
  •     Version: <BIOS version>
  •     Release Date: <BIOS date>
System Information
  •     Manufacturer: <vendor>
  •     Product Name: <product>
  •     Version: <hw "version">
  •     Serial Number: <S/N>
  •     UUID: <UUID>
  •     Wake-up Type: Power Switch
  •     SKU Number: Not Specified
  •     Family: <"hw "version">
To make it easier to apply these settings on several guest's, create a script that
contains the following commands:
(Populate the values with information from the Dmidecode output above)

VBoxManage setextradata  "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor"        "<vendor>"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVersion"       "<BIOS version>"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseDate"   "<BIOS date"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMajor"  <value from BIOS date>
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMinor"  <value from BIOS date>
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMajor" <value from BIOS date>
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMinor" <value from BIOS date>
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVendor"      "<vendor>"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemProduct"     "<product>"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVersion"     "<product>"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSerial"      "<S/N>"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSKU"         "Not Specified"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemFamily"      "<"hw version">"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemUuid"     "<UUID>"


Also:
  • Change MAC address:     
 VBoxManage modifyvm "<vm name>" --macaddressX <MAC>
  •  Change disk settings:
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/SerialNumber"  "<serial>"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/FirmwareRevision" "<firmware>"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/ModelNumber" "<model>"

  • Detach CDROM (or change settings for the CD-ROM)
  • Don't install vbox tools! 
Use:" VBoxManage getextradata "<vm name>"  enumerate " to review your settings.

/Micke

Update1:

Untested but might be useful..
VBoxManage setextradata "VM name" "VBoxInternal/TM/TSCTiedToExecution" 1


Posted by at 23 comments:
Subscribe to: Posts (Atom)