The automated creation and deployment of fully custom VMs (Virtual Machines) as analyses targets may seem like an arcane topic, but it’s crucially important to successful threat analysis, particularly for targeted attacks.
There are several reasons:
With many sandboxes, the target machine provided is fixed and can’t be customized by the user. A key benefit of VMRay is its ability to run with fully customized VM images, such as the user’s own gold image. Additionally, VMRay provides tools to easily and quickly create many different custom VM images. One only has to set up a specific configuration once in order to create hundreds of different images in a fully automated way.
Just the ability to run an image provided doesn’t go far enough in addressing real-world requirements.
An ideal solution needs to:
To address this, the VMRay team developed an automatic installation infrastructure, the VMRay Auto Install Tool, that is easy to use and highly customizable.
The general process is displayed in Figure 1.
The auto install requires:
The configuration contains Guest settings such as Username and Password, Language and Regional settings, and the like. All those values can be optionally randomized automatically by the installer to thwart VM fingerprinting. The configuration itself can be created by using the interactive dialog assistant (see Figure 2), by providing a previously created configuration file, or by specifying appropriate command line parameters.
To further customize the VMs, additional input can be provided:
1. Additional system configuration can be supplied via a WAIK Answer file. Most enterprises already use these for their OS deployments on their workstations.
This provides for easy and efficient integration of already available configurations.
2. Additional third party software (Office, PDF reader, etc.) can be easily integrated by supplying the corresponding setup files.
3. Additional scripts can be supplied to do arbitrary jobs like downloading and installing additional component or further tweaking the installed operating system or applications.
When being executed, the VMRay Auto Install Tool performs the following steps to create and output a ready-to-use VM (Fig 3):
1. An automated Windows setup image is created from the Windows ISO, the optional WAIK Answer File, and the Auto Install Configuration
2. A new VM is created, the setup image is mounted, and finally the operating system is automatically installed.
3. Finally, all third party software is installed by running their provided installers, and all additionally specified scripts are executed
It’s important to note that after the installer is started, all steps run autonomously and with no required user input.
The VMRay Auto Install infrastructure allows easy scripting of VM creation, customization, and installation. As an example we frequently rebuild many dozens of VMs with randomized configurations in our cloud in order to thwart fingerprinting.
Another use is to automate the complete setup of VMs from just one origin configuration. Once the Auto Install Configuration is created, it can combine arbitrary third party software, different Windows versions and patch levels. Hence only one configuration is required to setup hundreds of different VMs at the same time without any further effort. This is extremely useful if we want to automate the generation of VMs for newly released Windows Service Packs or Software Stacks. Also, it’s very easy to setup identical VMs with different languages (English, French, Chinese, etc.). Just provide the corresponding ISO file and reuse everything else.
Auto install is another piece in the puzzle for delivering accurate, complete threat analysis. By simplifying and automating the process of creating target analysis machines that are identical to the attacker’s intended target, we eliminate a major failure point in other analysis approaches.