Creating a Malware Analysis Environment
Introduction
This is a guide on how to set up a virtual malware analysis lab that's a little bit different than others that I have seen. This guide was primarily created for me and my documentation but if other people find it useful then feel free to use it.
This lab environments has 4 virtual machines:
- A pfSense router
- A Windows VM with FlareVM deployed
- A Debian host running BurpSuite and INetSim
- A Remnux VM
The pfSense VM has 2 interfaces, a WAN and a LAN. The LAN interface is connected to the internal VMWare lab network allowing connectivity between hosts. The WAN connection is connected via NAT and allows outbound internet connectivity where needed.
A diagram of what overall network connectivity looks like in my lab is below.
Windows 10
The first VM we will install is Windows 10 with FlareVM. Flare takes a long time to install so we can leave this one running in the background while we work on the next couple.
The first step is to get a copy of Windows 10. The easiest way to obtain a copy is to download and run the Windows 10 Media Creation Tool from Microsoft:
Once you have used the tool to create a Windows 10 ISO its time to create a new Windows VM. I have set my Windows VM up with the following settings:
- Memory: 4 GB
- Processors: 4
- Hard Disk: 200 GB
- Network Adapter: NAT
I wont go though the Windows install process but once you have installed Windows it may be good to run a Windows update before continuing.
In order to install FlareVM it is recommended to disable Defender and stop automatic updates.
There are multiple ways to disable Defender but I have done the following:
- Open up Virus & threat protection in Windows Security
- Disable everything
- Add an exclusion folder of the C:\
- Download and run the program dControl by Sordum
- https://www.sordum.org/9480/defender-control-v2-1/
- This application will completely disable Defender
Next we need to stop automatic Windows updates via Group Policy. I followed these instructions:
Next we install FlareVM. FlareVM is a collection of install scripts for various security tools. More information, including install instructions can be found in the FlareVM Github.
I will not go through the install steps as they are detailed in the Github. The install can take a long time depending on how many tools you have selected to install. The install process may also reboot your VM several times. On the final reboot the desktop background will be changed and you’ll have several security tools installed which you can use for malware reverse engineering.
Debian
Next lets install our Debian VM. The main uses for this VM are to run INetSim and BurpSuite. You have access to both of these tools though Remnux but Ubuntu (Remnux) uses system-resolved to resolve name resolution to local applications and this was causing me issues. In order to use INetSim and Burp with internet access I found it easier to use Debian as opposed to Ubuntu as I could make it do what I needed without too much issue. I’m not a Linux guy so there might be a way to use Remnux instead of Debian but this works for me.
Anyway, install Debian, update the packages and install INetSim and BurpSuite.
sudo apt update && sudo apt upgradesudo apt install inetsimsudo apt install wireshark
By default INetSim will run at startup, we don’t want that
sudo systemctl stop inetsimsudo systemctl disable inetsim
Download BurpSuite CE from https://portswigger.net/burp and install it.
chmod +x burpsuite_community_linux_[version].sh./burpsuite_community_linux_[version].sh
To use Burp as a proxy for traffic over port 80 or 443 we need to run it as root. To make it a bit easier I added this alias to my bashrc file alias burpsuite='sudo /usr/local/bin/BurpSuiteCommunity'
I also like to install Sublime Text, you’ll need to follow the steps on the Sublime site to install it on Debian but its straight forward. This isn’t needed, I just like Sublime.
Remnux
Remnux can be downloaded as a virtual appliance or installed from scratch in Ubuntu Desktop. I recommend the virtual appliance as it is the easiest to work with.
Download the virtual appliance from https://docs.remnux.org/install-distro/get-virtual-appliance and import it into your hypervisor. Once installed make sure it is up to date:
sudo apt update && sudo apt upgraderemnux upgrade
As we are using Debian we don’t really need Remnux if all we are going to do is Windows malware analysis, but it is good to have as it includes a bunch of useful tools.
pfSense
Lastly, lets install pfSense. Download pfSense from the official pfSense website and create a new VM. The VM doesn’t need many resources, I gave my VM:
- Memory: 1 GB
- processors: 1
- Hard Drive: 30 GB
You will need to add 2 interfaces, 1 for the WAN and 1 for the LAN.
1 interface should be a NAT adapter and the other connected to the isolated network, in my case VMnet2.
Once you have installed pfSense set the interfaces. I used the following settings:
Assign interfaces:
- Should VLANs be set up now: n
- Enter the WAN interface name: em0
- Enter the LAN interface name: em1
- Do you want to proceed: y
Set interface IP addresses:
WAN:
- Configure IPv4 address WAN interface via DHCP?: y
- Configure IPv6 address WAN interface via DHCP?: n
- Enter the new WAN IPv6 address: [BLANK]
LAN:
- Configure IPv4 address LAN interface via DHCP?: n
- Enter the new LAN IPv4 address: 10.1.2.1
- Enter the new LAN IPv4 subnet bit count: 24
- Configure IPv6 address LAN interface via DHCP6?: n
- Enter the new LAN IPv6 address: [BLANK]
- Do you want to enable the DHCP server on LAN: y
- Enter the start address of the IPv4 client address range: 10.1.2.2
- Enter the start address of the IPv4 client address range: 10.1.2.20
Configuring our Services
Network Configuration
VM Network Setup
Within VMWare, we are going to set up a new host-only network so your analysis machines can only communicate with each other. This will limit the possibility of other machines getting infected on your network.
To create a new network open the Virtual Network Editor and click Add Network. The settings I used for my new network are:
- Name:
VMnet2 - Type:
Host-only - Subnet IP:
10.1.2.0
Subnet mask: 255.255.255.0
I am using pfSense as a DHCP server on the LAN, but if you’re not using pfSense then you can enable a local DHCP server to distribute IPs to VMs.
Now that we have all our VMs up and running and the network setup in VMWare, we need to configure the network on each of them to make sure they can only communicate with each other.
Debian
- Set the network interface adapter in VMWare for this machine to VMnet2
- Within Debian it should get an IP from pfSense via DHCP
- Log into pfSense via the web browser and navigating to http://10.1.2.1
- Go though the initial setup wizard
- Go to Services → DHCP Server
- Set the range if it isn’t set already
- Add DHCP Static Mappings for the Debian VM. You can set manual mappings for Windows and Remnux as well if you want.
- Debian:
10.1.2.100 - Windows:
10.1.2.101 - Remnux:
10.1.2.102
- Debian:
- Limit access from the isolated network
- Go to Firewall → Rules → LAN
- Create a new rule blocking access from the LAN (10.1.2.0/24) to your home network and any other networks you do not want the RE VMs to have access to.
- Go to Firewall → Rules → LAN
- [OPTIONAL] To add an extra layer of protection when analysing malware you can configure pfSense to route all traffic though a VPN. Instructions on how to do this is outside the scope of this post but there may be instructions for how to do this from your VPN provider.
- Reboot your Debian VM and check what IP it has. It should have 10.1.2.100, based on what we set in the previous step.
- This VM should have internet access
Windows
- Set the network interface adapter in VMWare for this machine to VMnet2
- Within windows open the network interface settings and manually set the IP of the machine to:
- IP address:
10.1.2.101 - Subnet mask:
255.255.255.0 - Default gateway:
10.1.2.100 - DNS Server:
10.1.2.100
- IP address:
- This VM should not have internet access
- We can gain access to the internet once we have configured INetSim and Burp
We are setting Windows to use our Debian machine as our default gateway and DNS server as we want to route our traffic to that machine for analysis though Burp and INetSim.
Remnux
- Set the network interface adapter in VMWare for this machine to VMnet2
- Remnux should get its IP information via DHCP from pfSense
- This VM should have internet access
INetSim configuration
INetSim is a network simulation tool commonly used within malware analysis labs. We are going to create 2 configurations. A DNS only config and a full simulation config. Lets start with the DNS only config by copying the inetsim.conf file from /etc/inetsim/inetsim.conf to our home directory:
cp /etc/inetsim/inetsim.conf inetsim-dnsonly.conf
Now, in your favourite text editor make the following changes to inetsim-dnsonly.conf
- Under
services to startuncommentstart_service dns - In the section after the list of services, uncomment the
#and set theservice_bind_addressto0.0.0.0 - Next, set the
dns_default_ipto10.1.2.100 - Save the config file
Next, lets create the full simulation config. There are only 2 changes we need to make but we need to start by copying the DNS config so we have 2 to choose form: cp inetsim-dnsonly.conf inetsim.conf
Lets edit this text file and start by uncommenting all the services in the top section. Next, uncomment the http_bind_port and set the port to 8080 . Do the same for the https_bind_port and set the port to 4443
We should now have 2 INetSim config files: inetsim-dnsonly.conf and inetsim.conf
To launch INetSim use sudo inetsim --config inetsim.conf or sudo inetsim --config inetsim-dnsonly.conf
BurpSuite Configuration
Similar to INetSim, we are going to create 2 new config files. One for fake network access and 1 for real network access.
Starting with the fakenet config. In Burp, create a new temporary project and start Burp. Navigate to the Proxy tab and click Proxy settings . Remove any existing proxy listeners and add a new one. Use the following settings:
- Bind to port
443on interface10.1.2.100 - Under the request handling tab set the redirect host to
[localhost](<http://localhost>)and the redirect IP to4443 - Enable the support of invisible proxying
Create another binding with the following settings:
- Bind to port
80on interface10.1.2.100 - Under the request handling tab set the redirect host to
[localhost](<http://localhost>)and the redirect IP to8080 - Enable the support of invisible proxying
Save this config as burp-fakenet.conf
Follow the same steps to create the realnet config. In Burp, create a new temporary project and start Burp. Navigate to the Proxy tab and click Proxy settings . Remove any existing proxy listeners and add a new one. Use the following settings:
- Bind to port
443on interface10.1.2.100 - Under the request handling tab set the redirect host to
[BLANK]and the redirect IP to4443 - Enable the support of invisible proxying
Create another binding with the following settings:
- Bind to port
80on interface10.1.2.100 - Under the request handling tab set the redirect host to
[BLANK]and the redirect IP to8080 - Enable the support of invisible proxying
Save this config as burp-realnet.conf
To finish configuring Burp we need to get our certificate onto our Windows host and install it into the Trusted Root Certificate Authorities store. Leave Burp running on your Debian VM and open your Windows VM. Launch a web browser and navigate to 10.1.2.100 . You should be greeted with a Burp screen with the option to download a CA certificate.
Download the certificate and install it to the Trusted Root Certification Authorities store.
Testing everything is working
With your pfSense, Windows, and Debian VMs all running we should now have a working malware analysis lab.
Within Debian run both INetSim with sudo inetsim --config inetsim.conf and Burp with your fakenet config file. Open your Windows VM and try to load a webpage. Instead of the webpage loading you should be shows the default INetSim splash page letting you know that the traffic was generated by INetSim, this is expected. If you move back over to Debian and open Burp you should see network requests in the Proxy / Intercept tab.
With the other configs we created, the inetsim-dnsonly.conf and the realnet Burp config, network connectivity should work in Windows, although may be a bit slow and large transfers may cause Burp to crash.
You should also test that hosts behind the LAN are not able to reach any devices in your home network, you can test this by pinging your home router IP and it shouldn’t respond. If it does you will want to check your pfSense firewall rules.