Do you need a XP virtual machine for malware analysis?

Chapter 2 in our book teaches readers how to set up a safe environment for performing malware analysis in VMs using VMware.  The first step in setting up a VM is installing the OS (we recommend Windows XP).  For readers that don’t have access to a Windows XP installation CD you may be able to obtain the Windows XP virtual machine that comes free from Microsoft.

One option offered with Windows 7 and Vista was “Windows XP mode” which is designed to allow users to run older programs that aren’t compatible with newer versions of Windows.  Windows XP mode is implemented with a virtual machine and we can use that virtual machine for our malware analysis environment.  If your version of Windows 7 didn’t come with Windows XP mode you can download it from Microsoft for free.

Windows XP mode comes with Virtual PC which is a Microsoft virtualization product similar to VMware.  To use the free Windows XP mode virtual machine you can either perform your malware analysis using the Virtual PC program or you can import the Windows XP mode virtual machine into VMware.  To import the Windows XP mode into VMware, you open VMware workstation and File->Import Windows XP mode VM.  Once you’ve imported your Windows XP virtual machine into VMware you can install all your malware analysis tools and safely analyze malicious samples as described in our book.

8 thoughts on “Do you need a XP virtual machine for malware analysis?

  1. While running in a VM is straightforward and obvious, and XP is currently an easy target for malware, are there any specific service packs that are recommended? I know in the past SP2 was commonly used and malware often ran successfully on it. However, SP2 is pretty dated (even SP3 is these days), so perhaps SP3 is a better option. There is always the option to set up multiple snapshots for various service packs to test on, but if you had to go with one, which would it be? Another reason is I saw the fakenet tool requires SP3, so perhaps it’s time for me to patch (slightly).

    Similarly, what percentage of malware runs successfully on Vista/7 these days?

    • I would use XP SP3. XP is still the most common OS and most malware that runs on Windows 7 will run on XP, but not necessarily in the other direction. I recommend having multiple VMs with different operating systems and service packs. But if you can only choose one, then XP is the way to go. Plus like you said, the book labs and FakeNet work best on XP.

  2. Mike,

    Just had a quick question kind of on the same topic, are there any programs that you can recommend to install on the malware analysis machine such as Java, Adobe, or Office in order to emulate malware that targets these specific programs in order to run or exploit the system, in order to get a better grasp of what the malicious program is trying to do? Or is this not truly necessary?

    Thanks, and LOVE the BOOK!

    Dan

    • Thanks for your comment and we’re glad you’re enjoying the book.

      As far as installing extra applications, it’s definitely a judgement call and dependent on what kind of malware you’re looking at. If you’re planning on analyzing malicious .docs or .pdfs then certainly you should install Office and/or Adobe. I’d recommend installing a version that is 1 or 2 versions behind so that if there’s vulnerabilities then they won’t be patched.

      It’s also worthwhile to install programs that malicious .exe sometimes infect (firefox, ie, outlook express, etc) because you’ll want to see what the malware is doing to those programs.

  3. Guys – thanks very much for the book. It is excellent. I just got an Ubuntu laptop, VMWare, and a Windows 7 license, and now I see that WIndows XP Mode only runs on Windows machines. Can I still use your labs effectively with Windows 7 virtual machines? Thanks again.

    • Thanks for the comment.

      Most of the labs will still work on windows 7. They require admin privileges though, so in Windows 7, you’ll need to explicitly run them with privileges. Some of the labs will not work with windows 7 (the chapter 10 labs for sure, and probably some others). If you end up trying all the labs on Windows 7, we would appreciate some feedback on which work and which don’t. Thanks.

      • Andy – will do. I’m just getting started -I’ll do my best to update you along the way.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s