When analyzing malware, it is often convenient to infect an isolated laboratory system with the sample to observe how it behaves. Behavioral analysis often involves performing experiments iteratively, slightly varying the lab environment to evoke new behavior and learn about the sample's capabilities. To accomplish this, we need the ability to quickly revert to a known state of the laboratory system.
Restoring state using VMware
Malware analysis like using virtualization software--usually VMware--for setting up the lab. VMware offers the convenience of taking a snapshot of the virtual machine with a click of a button. Reverting to a known state after that is just another button-click away.
VMware Server, which is available for free, supports a single snapshot of the virtual machine. VMware Workstation,a commercial product, supports multiple snapshots in a highly flexible manner. It costs $189. (Microsoft Virtual PC seems to some snapshot capabilities, too, but I am not very familiar with it.)
Malware authors often check whether their programs are running within a virtual machine.Techniques for concealing the use of virtualization involve patching the executable to deactivate the virtualization-checking code, or using a debugger to return spoofed results to virtualization checks. (If this is interesting, check out the recent additions to my malware analysis course.)
Sometimes it is easier to move away from a virtual to a physical system, rather than to locate and manipulate the virtualization-checking code. Reinitializing the infected physical system using traditional cloning methods such as Ghost or dd takes too long. Several other tools are available for quickly rolling back the system to a pristine state.
Deep Freeze (software)
Once installed on the physical system, Deep Freeze lets you "freeze" the system's configuration in its pristine state, automatically reverting to that configuration when necessary after a reboot.
DeepFreeze is available for Windows, OS X, and Linux operating systems. It's sold in 10-packs and is priced from $13.55 per system. The price depends on your industry.
Windows SteadyState (software)
Windows SteadyState is a free product from Microsoft, and is available for Windows XP. Like Deep Freeze, SteadyState is positioned to help lock-down public systems, such as Internet kiosks and library computers. It has the ability to restore the system to a known state via its Disk Protection feature.
Another product in this category is Returnil. It is marketed as a tool for combating malware infections by resetting the system to a trusted state. By enabling its System Protection feature, you can make use of this functionality for rolling back system-level changes in your lab.
Returnil runs on Windows. The company offers a free version for personal use. A commercial license for the product's Premium edition starts at $24.95.
CoreRestore differs from the tools listed above in that it is a hardware component, not a software product. It is a card that you need to install between the system's motherboard and the disk drive IDE controller.
The card redirects system changes to a "temporary working area," allowing the administrator to revert to a pristine state via a reboot. Each card costs $149.97.
Have you had positive or negative experiences with the products mentioned above? Can you recommend other tools for restoring a system's state during malware analysis? Let us know.
Mar 17th 2008
Mar 17th 2008
1 decade ago