The automated creation and deployment of fully custom VMs (Virtual Machines) as analyses targets may seem like an arcane topic, but it’s crucially important to successful threat analysis, particularly for targeted attacks.
There are several reasons:
- Targeted attacks using custom(ized) malware often will check for specific attributes on the target machine before executing. For example, if the target is a French defense contractor, then the malware may check that the target machine is set for the appropriate time zone and French language and keyboard settings. More sophisticated malware may go further and check for specific applications or settings unique to the victim organization’s machines. Other examples would be Brazilian banking Trojans that will geolocate to verify they are indeed executing on a desktop in Brazil, with the appropriate localization settings.
- Malware of all kinds will conduct anti-analysis checks. We’ve blogged extensively here, here and here about approaches like VM detection and COM usage. One common technique is to conduct tests to verify that the target machine is in fact ‘real’ – telltale signs that it is a default analyses machine may be an empty documents folder, or default Windows desktop image. This can be overcome by deploying images that are prepared so as to look ‘used’. Usually these will be otherwise identical to real images the organization runs on their desktops and servers. An important aspect here is not using static images, but periodically randomizing their content: a cumbersome task without automation.
- Providing the right software environment is crucial when analyzing certain types of malware. Malicious documents typically target vulnerabilities in certain Office applications and their malicious behavior is only triggered when viewed in the vulnerable application version. When analyzing rootkits and other system-level malware, their real intention is often revealed only when executed under the right operating system and patch level. Hence  it’s important to analyze files with many different software stacks and operating system versions in parallel.
With many sandboxes, the target machine provided is fixed and can’t be customized by the user. A key benefit of VMRay is its ability to run with fully customized VM images, such as the user’s own gold image. Additionally, VMRay provides tools to easily and quickly create many different custom VM images. One only has to set up a specific configuration once in order to create hundreds of different images in a fully automated way.Â
The Custom VM Challenge
Just the ability to run an image provided doesn’t go far enough in addressing real-world requirements.
An ideal solution needs to:
- Allow customized setup of hardware, Windows settings and installed programs
- Easily integrate with enterprise Windows deployment (WAIK Answerfiles)
- Enable effortless reuse of a single configuration across different Windows versions and patch levels
- Support usage of many different software stacks on top of the same base image
- Have fully automated installation without any required user input
The Solution
To address this, the VMRay team developed an automatic installation infrastructure,  the VMRay Auto Install Tool, that is easy to use and highly customizable.
The general process is displayed in Figure 1.Â
The auto install requires:
- A Windows ISO image for installation
- A VMRay Auto Install configuration
The configuration contains Guest settings such as Username and Password, Language and Regional settings, and the like. All those values can be optionally randomized automatically by the installer to thwart VM fingerprinting. The configuration itself can be created by using the interactive dialog assistant (see Figure 2), by providing a previously created configuration file, or by specifying appropriate command line parameters.Â
To further customize the VMs, additional input can be provided:
1. Additional system configuration can be supplied via a WAIK Answer file. Most enterprises already use these for their OS deployments on their workstations.
This provides for easy and efficient integration of already available configurations.
2. Additional third party software (Office, PDF reader, etc.) can be easily integrated by supplying the corresponding setup files.
3. Additional scripts can be supplied to do arbitrary jobs like downloading and installing additional component or further tweaking the installed operating system or applications.
When being executed, the VMRay Auto Install Tool performs the following steps to create and output a ready-to-use VM (Fig 3):
1. An automated Windows setup image is created from the Windows ISO, the optional WAIK Answer File, and the Auto Install Configuration
2. A new VM is created, the setup image is mounted, and finally the operating system is automatically installed.
3. Finally, all third party software is installed by running their provided installers, and all additionally specified scripts are executed
It’s important to note that after the installer is started, all steps run autonomously and with no required user input.Â
Summary
The VMRay Auto Install infrastructure allows easy scripting of VM creation, customization, and installation. As an example we frequently rebuild many dozens of VMs with randomized configurations in our cloud in order to thwart fingerprinting.
Another use is to automate the complete setup of VMs from just one origin configuration. Once the Auto Install Configuration is created, it can combine arbitrary third party software, different Windows versions and patch levels. Hence only one configuration is required to setup hundreds of different VMs at the same time without any further effort. This is extremely useful if we want to automate the generation of VMs for newly released Windows Service Packs or Software Stacks. Also, it’s very easy to setup identical VMs with different languages (English, French, Chinese, etc.). Just provide the corresponding ISO file and reuse everything else.
Auto install is another piece in the puzzle for delivering accurate, complete threat analysis. By simplifying and automating the process of creating target analysis machines that are identical to the attacker’s intended target, we eliminate a major failure point in other analysis approaches.