When you procure a malware sample from various sources such as honeypots, or online repositories, or an infected machine, your first task is to transport it to an environment where the malware can be observed in action without harming any real-world computer system and especially via network communication or propagation. This is normally called a sandbox or a malware lab and should be set up prior to analysis.
Dedicated computer hardware can certainly be used for this purpose, though a better solution would be to use virtualization or emulation. The dividends are rich and multivalent—you recoup on the price of real computer hardware and OS backup software while you capitalize on features such as snapshots, persistent disks, host only networking, kernel mode debugging over named pipes, and running multiple OS versions on the same hardware.
VMWare and VirtualBox are two virtualization software that can be leveraged in such a setup. For our purposes, this would be simple to configure as we will be performing manual analysis on a malware sample with third-party tools on Windows XP as the test platform. We will focus on VMWare for this analysis session. The current slew of malware tends to focus on the Windows NT systems, and XP after being discontinued is still used a lot but lacks much of the current bevy of security features and hence is a better choice for unhindered malware execution. It is, however, advisable to execute malware in recent OS versions as well like Windows 7 and 8 in order to trigger and observe environment-specific payloads and confirm and understand their mechanisms.
The current crop of malware has employed many creative anti-virtualization tricks that may hinder your analysis. There is always a risk that the virtual environment can be detected by the malware or the malware escapes the containment. Be prepared for this and try to learn about VM detection mechanisms by reading about such documented malware so that you have something to fall back on. Employing an airtight isolation like running VMware in Linux adds another layer of defense, especially when it comes to Windows malware.
You set up a Windows installation using the installation disk or an ISO file of the Windows XP SP2 disk. VMWare will ask for the product key and installation will commence. Once done, VMWare tools will be installed by VMware after which additional features such as Guest (virtualized OS) and Host (hosting hardware machine that runs VMWare) bidirectional copy-and-paste and drag-and-drop will be enabled along with shared folders and better video response and peripheral devices handling.
VMWare provides for four networking modes—Bridged, NAT, Host-only, and Custom. You will use Host-only (VMNet1 by default), which will enable the Host to communicate with the Guest OS (and Guest-to-Guest intranet) exclusively. NAT (for network access with shared host IP and other services such as VPN) and Bridged (for direct use of the host network hardware and physical layer wire sniffing of virtualized OS network interactions) can also be used as available presets.
A useful feature to use in VMWare is non-persistent (persistent by default) disks, which can be very useful in removing any trace of malware from a baseline as nothing in the running state is preserved in the next boot. This is an inbuilt alternative to tools such as Deep Freeze (http://www.faronics.com/en-uk/). Snapshots are also a valid facility for achieving the same set of goals. However, caveat emptor; if you want to save different snapshots to go back to specific parts of the analysis, then keeping the disk non-persistent will not allow you to do so, which is what you might prefer, or not, so just so that you keep this in mind prior to commencement of analysis. Take a baseline snapshot after all tools are installed and revert to it to restart analysis. Take subsequent snapshots if you want to save at a particular point during the analysis session and want to resume back to it.
You can copy the following tools to VMware Windows Desktop or to a folder location of your choice.