As a reverse engineer, you will inevitably come across suspicious samples that do not do anything in a VM, but you know are up to no good. For instance, you might be analyzing a file that was delivered as part of a spear phishing email to employees of your company. You try all your usual behavioral analysis tools under your favorite VM, but not much happens. You suspect that this sample is using anti-VM techniques to hinder your analysis.
For most, the next step involves getting your dedicated bare-metal laptop/desktop out and wiping it–because it’s still dirty from your last analysis–and re-installing Windows and all your tools on it. It’s an annoying, time-consuming process, but it’s the only way for you to see what this sample is doing… Until now.
Here at Binary Guard, we have faced the same annoyances with setting up bare-metal environments for manual analysis sessions. Because of this, we thought it was a natural fit for us to apply the same True Bare Metal (TBM) technology found in our TBM Automated Cloud Sandbox to the problem of manual analysis. This resulted in an internal tool we call TBM Analysis Sessions. It allows us to spin up bare-metal machines accessible in the cloud via RDP where we can install our tools and analyze samples. There is no longer a need to wipe and re-image a desktop between analyses. We can start up new sessions as often as we want in under a minute with just a few clicks. And there are even added benefits like being able to save disk snapshots that allow you to resume previous analysis sessions and create images that have your analysis environment pre-installed.
Here is a short demo showing TBM Analysis Sessions in action:
This is an internal tool at the moment, but we are thinking about making this into a real service. Would TBM Analysis Sessions benefit you? Send us a note and let us know your thoughts!