Last week I demonstrated how to setup a basic virtual network consisting of two windows virtual machines. For this week’s blog I will share some tips I found to prevent malware from escaping your virtual machine and infecting your physical machine. Disclaimer: this list is not an exhaustive list of precautions to take as our team is starting our malware analysis journey with this project.
Take a snapshot of the system
Snapshots are points in the history of the virtual machine. It is necessary to take a snapshot of the system prior to unleashing the malware. You can access this feature in VMware Workstation by clicking on VM > Snapshot > Take Snapshot
After you unleash the malware and perform analysis we can revert by clicking on VM > Snapshot > and choosing either Snapshot Manager or clicking on desired snapshot.
Setting up host-only networking
Host-only networking sets up an isolated virtual network within the host system. By default this configuration cannot connect to the internet.
To set this up we have to either create a virtual network or use an existing one in the Virtual Network Editor.
By default there is already a virtual network named VMnet1. The screenshot below shows VMnet0 was created after we clicked on “Add Network”. We enabled Host-only configuration as well.
Afterwards we need to set our virtual machines network adapter to the host-only network. Access the settings for your particular virtual machine through VM >Settings.
In the image below you can choose the default Host-only network VMnet1 or the custom network we created. Make sure your virtual machine is not started when you change this or you would need to restart for the change to take effect.
Ensure your Hypervisor is up to date
A hypervisor is the software where you are creating, running, and managing your virtual machines from. Some malware have been known to have the ability to recognize they are inside a virtual machine and will modify their behavior or even escape. Software updates will help prevent this. For this project our group used VMware Workstation 16 and you can check for updates through Help > Software Updates.
Do not connect the laboratory system to the production network
Earlier we took care of this by enabling host-only networking.
An additional precaution we can take is disabling “Connect a host virtual adapter to the network”. Per the vmware documentation, if this is enabled then we will connect a physical network on the host system to the virtual network.
Make it harder for the Malware to realize it is in a VM
A malware may be able to recognize it is in a virtual machine by the presence of virtual machine related software within the VM. For our configuration we would remove VMWare tools which allows us to copy and paste text or drag and drop files into the VM.
Disable Shared Folders and facilitate Guest Isolation
Access the settings for a particular VM through VM > Settings.
Shared Folders facilitate the transfer of files between the physical and virtual machine. However as shown by the warning in settings, this added point of contact could be exploited by malware.
Similarly we can decrease additional points of contact by disabling “drag and drop” and “copy and paste”
Sources Cited
- https://zeltser.com/vmware-malware-analysis/
- https://docs.vmware.com/en/VMware-Workstation-Pro/15.0/com.vmware.ws.using.doc/GUID-E08995A9-7DE6-4D92-8C6F-4F737C3A8AB3.html
- https://www.geeksforgeeks.org/virtual-machine-for-malware-analysis/
- https://docs.vmware.com/en/VMware-Workstation-Player-for-Linux/16.0/com.vmware.player.linux.using.doc/GUID-93BDF7F1-D2E4-42CE-80EA-4E305337D2FC.html
