There are a number of resources out there about setting up a lab for the purpose of analyzing malware (I’ve listed several at the end of this blog post). As I started to build my lab, I found that there’s really no set answer as to the best practices. In many cases, the best practice really depends on what you’re trying to do.
One of the most widely disagreed upon topics seems to be whether or not you let your lab interact with the outside world. I suppose, if you have a source of malware that you can access and analyze without connecting to the internet then an isolated network is the safest way to go. Most of the time, however, you’re trying to mimic real-world conditions in your lab. You want to see what happens when your lab PC interacts with a web page for instance. Or, whether or not that fake Flash update that you downloaded from a compromised website “phones home”. This type of analysis generally requires a connection to the outside world.
Most people who give advice on setting up a malware lab will recommend that you use virtual machines. That’s generally good advice. The snapshot capability that’s included with most virtual machine software allows you to infect a VM and then restore it to it’s pristine state in no time. On the other hand, more and more modern malware is VM-aware and will simply not execute if it detects that it’s operating within a VM. You may have found a website hosting the latest ransomware but you would never know it because the malware has detected that you’re using a VM and has refused to blow its cover.
After a lot of trial and error, this is what I came up. I’m using VirtualBox VMs with older operating systems and out-of-date software (Flash player, Java, AV, OS patches etc). These are all connected via a VirtualBox internal network. I have a VM running Security Onion that listens to and logs all traffic on the internal network. At the end of it all, I’m using a VM with pfSense acting as a firewall and router to get to the outside world (through my home network).
This setup allows me to surf the web looking for malware in relative safety. Security Onion captures all suspicious traffic and allows you to drill down multiple layers to examine it.
It’s important to note that there is a degree of danger inherent in this setup in that the other computers on your network are not completely isolated from malware that you’re executing in your lab. The pfSense VM is a real key here. It’s important to stay on top of what traffic is allowed to enter/exit your lab network so that you can keep the other PCs on your network safe.
If I’m simply analyzing or reversing malware that I already have, I can swap out the pfSense VM for another VM that’s running Turnkey Linux with INetSim. In case you’re not familiar with it, INetSim is a software suite for simulating common internet services in a lab environment. The Malware Analyst’s Cookbook And DVD, a somewhat older but still incredibly useful book, recommends and discusses using INetSim in your lab.
As I mentioned above, a lot of modern malware is VM-aware and will not execute if it detects it’s being run inside of a virtual machine. To circumvent that issue, I use a laptop that connects to my home network (thus potentially putting my other PCs at risk). This laptop is configured similar to the VMs in my virtual lab (above) – old, unpatched OS with out-of-date helper software.I can use this computer to hunt around the internet searching for malware and observing what happens when it’s executed.
I use an open-source disk imaging program called Clonezilla to restore this computer to its initial state after infections. Clonezilla is a great tool – very simple to use. I have an old 1-GB USB drive on which I’ve installed a bootable version of Clonezilla. Once I have my laptop set up the way I want it, I just boot up Clonezilla with the USB drive and clone the image onto an external hard drive. Now, I can infect the laptop and restore it to its original state in about 10 minutes. In fact, I can set up this physical PC multiple different times with different operating systems / configurations and clone each of these. That way I can chose any of these images to restore and experiment with on my physical PC giving me sort of a makeshift physical version of my virtual lab.
Hopefully, I’ve given you a few ideas for setting up your own malware lab. Above all, remember that this is a dangerous business – you can easily infect your PC (or other PCs on your network) and lose data. More information on setting up a malware lab can be found in the links below (in no particular order):
5 Steps To Building A Malware analysis Toolkit – Lenny Zeltser
Virtualized Network Isolation For A Malware Analysis Lab – Lenny Zeltser
Setup A Test Networking Lab With VirtualBox
Building Ultimate Anonymous Malware Analysis And Reverse Engineering Machine
Malware Analysis Laboratory
How To Set Up A Pentesting Lab – Rapid7
Portable Malware Lab For Beginners – Infosec Institute
Portable Malware Lab For Beginners: Part 2 – Infosec Institute