Malware Labs and Machines
Last updated: 2021-09-20
This post is geared towards beginners and documents the general steps I took to build a home malware lab.
Malware Lab Plans
The malware lab must meet the following requirements:
- Malware environment must not connect to prod/shared networks.
- Dedicated physical workstation to host malware lab. (i.e. an old laptop)
- Quickly restore host in the event of malware escape.
- Include both static and dynamic analysis features.
WARNING: Conduct all security research on an isolated network seperate from shared/personal devices. Failure to contain malware could result in damage to other devices on the same network and/or loss of data.
I want to analyze malware samples in a secured environment so that in the event of malware escape I can wipe the host machine with no impact to my personal data. A small home malware lab using a spare labtop should be enough for my personal security research. I’ve created a seperate, isolated network for the lab, monitored by an IPS. I also have a USB device that I will be using to install an OS on the spare laptop. The laptop specs are dual-core i5 with 8 GB of RAM. The laptop RAM can be upgraded to 32 GB of RAM, I plan on upgrading it to 16 GB or 32 GB at a later date. VirtualBox needs 512 MB of RAM and ~30MB of disk space– provided that I only use up to 7 GB of RAM, I should be okay to virtualize 2+ virtual machines (VMs) at a time.
I am using Lubuntu, a lightweight version of Ubuntu, as the OS used to host the VMs. Lubuntu will allow me to allocate fewer resources to the OS than a regular Ubuntu so that I may allocate more resources to the VMs. The following technologies are installed:
- VirtualBox - to create virtual machines
- Vagrant - to manage virtual machines
- Docker - to create and manage containers
Singular Static & Dynamnic Analysis Machines
For quick and easy forensic machines I use the REMnux Linux distribution. REMux is an Ubuntu 18.04 + GNOME base machine preloaded with forensic tools. Download the VirtualBox OVA from remnux.org. You can quickly launch this machine by double-clicking the
ova file and configuring the imported machine. Once installed, login and update/upgrade. Then, change the network adapter to host-only in “Machine > Settings > Network”. Once the network has been isolated to the host, save a snapshot.
sudo apt-get update sudo apt upgrade
You can also install REMnux from source in your cloud forensic station:
remnux install --mode cloud
And/or you can run and install REMnux in a docker container:
docker run --rm -it -u remnux remnux/remnux-distro:focal bash
REMnux provides many tools for static and dynamic analysis. If you’d like a full list check out the REMnux documentation. Generally, there are tools for PE and ELF files, Android files, static and dynamic analysis, network traffic analysis, deobfuscation tools, unpacking tools, etc. The REMnux machine can also then be reset and paired with a windows sandbox since it already has similated protocol tools for monitoring network behavior like
Windows Sandbox Victim + Linux Machine Observer
Modern malware checks its environment for signs its being observed. Using a sandboxed Windows environment allows us to execute malware and quietly observe the resulting changes to the environment. There are a couple of ways of going about this. We can grab a Windows development environment (~20GB) for testing from Microsoft. On this virtual machine we would then install tools (ProcessHacker, Process Monitor) to observe changes to the environment after the executable file is run. This machine would require at least 4 GB of RAM and 2 cores.
The REMnux machine can be used to observe the Windows sandbox. The virtual machines are both configured to share a virtual network isolated on the local host. The Windows machine is then set to point to the linux machine for networking services like DNS so that the linux machine captures relevent network data.
Automated Analysis with Third Parties
We could also use a pre-built sandbox environment like cuckoo. Or if confidentiality is not an issue, you could upload the sample to VirusTotal, Hybrid Analysis, and/or Joes Sandbox.