Home > Lab, Malware, Reverse Engineering > Automated Malware & ESXi frustrations

Automated Malware & ESXi frustrations

2009/10/22

I recently read Christian Wojner’s excellent paper on Mass Malware Analysis and it re-ignited my desire to build an automated environment to improve and speed up my current malware analysis capabilities. The paper details a step by step for duplicating Wojner’s environment, but I as I don’t have any spare equipment I’ve been looking for alternative routes.

Fortunately the paper also explains the theory, thought process and design of the system so that the reader can modify to suit their own requirements. To achieve this I’ve been trying replace the Xubuntu and Virtual Box host with my existing  ESXi environment detailed in previous posts.

With a bit of Googling the vSphere CLI became the obvious choice to replace the control component for the infected machine in the automated malware environment. vmware-cmd.pl provides the functionality to both stop/start virtual guests and to revert the guest to previous snapshots, exactly what is needed for the malware analysis environment. The commands to be utilised would be (– is a double dash):

vmware-cmd.pl –server <ESXi Host> –username <user> –password <pass> /path/to/guest.vmx getstate

vmware-cmd.pl –server <ESXi Host> –username <user> –password <pass> /path/to/guest.vmx start

vmware-cmd.pl –server <ESXi Host> –username <user> –password <pass> /path/to/guest.vmx stop

vmware-cmd.pl –server <ESXi Host> –username <user> –password <pass> /path/to/guest.vmx revertsnapshot

This should have been enough to adapt Wojner’s control scripts to use ESXi instead of Virtual box, but it appears that for the first time I’ve encountered a crippled feature not available in the VMware’s free offering. Running the stop/start/revert commands results in the below exception:

Fault:
SOAP Fault:
———–
Fault string: fault.RestrictedVersion.summary
Fault detail: RestrictedVersionFault

So that’s that, unless I happen to win the lottery (which I don’t play) or someone is able and willing to provide a full ESX license to a struggling researcher (which I don’t expect to happen) I’m back to looking for a replacement Wojner’s VirtualBox control process. On with the next…

Andrew Waite

Advertisements
  1. RE
    2010/03/19 at 10:28

    I’ve just hit this wall as well. Pity. I imagine the SDK would have the same problem?

  2. anonymous
    2010/06/02 at 07:20

    maybe this can help in terms of the licensing http://ly.my/6r

    • 2010/06/02 at 07:55

      Thanks for the heads up, from first glance it looks promising. Need to find some lab time to give it a go in anger.

  3. al
    2010/10/17 at 16:50

    According to you, with vSphere CLI, can I load an iso file into a running vm? Via command line obviously. Thank you very much.

  1. No trackbacks yet.
Comments are closed.
%d bloggers like this: