Designing a Malware Lab
This article will outline how I have designed an isolated network / lab for malware analysis. You will find the following sections in this article:
- Executive Summary
- Host Configurations
Static and dynamic analysis of malware is vital for any blue or even red team for understanding how malware behaves. If you find yourself curious about this, or want to understand the malware found on your estate, designing your own malware network is important.
A malware analysis can be performed by keeping a variety of goals in mind. It also depends upon the requirements of an organization and impact of the security incident. Some questions to ask are - how much damage has this malware caused? How sophisticated was the malware? What are the IOCs, has it affected any other machines? How was it found on the machine - does it exploit any vulnerabilities we are unaware of and can we take any appropriate measure to mitigate the attack / can we prevent any further incidents?
Why create one when you can use online services? Malware can sometimes contain information about the target (yourself) if it has been designed specifically. You also have complete control of executing the malware and environment which allows for more advanced analysis and interaction.
There is a variety of setups you can do but this article will go through my setup using an ESXi server. Similar concept can be done with local virtual machines but the examples here are specific to this senario. Please also treat this as an article about designing your malware setup, rather than follow along instructions as I do not go into much detail about any of the installations.
Find here the malware network topology:
On the right of this diagram, you can find the primary internal network where most of our personal machines can be found, we don’t want to be executing malware here. On the left is our ‘malware network’ or ‘isolated network’ where you can find the Windows 10 Malware Lab and Remnux host acting as a bridge between the two. I will explain the hosts in further detail later on.
To create this additional network with the 2 hosts attached, we need to create a vSwitch on the ESXi server. Any ESXi notations mean the machine is a VM hosted on ESXi. The internal network is separate from our network, with no real internet access.
Here is a screenshot of the vSwitch (Do not bind this vSwitch to a physical NIC) hosting the internal malware network on ESXI:
As you can see, the 2 hosts are attached and there are no physical adapters. You will need to setup both virtual machines prior to removing internet access… I personally created the VMs normally with internet access, then afterwards created the vSwitch and attached the machines. On your ESXi web interface, go to networking > Virtual Switches > Add standard virtual switch. I left the MTU as 1500, and make sure to not have any uplinks. Then create a port group on Networking > Port Groups > Add Port Group and select the switch you just created. Once this has been created we can proceed to add the configured VMs to this group so it is attached to this switch:
On the Windows 10 VM, edit the existing adapter so it is the “malware network”. This should be the only one. On the Remnux, do the same but also add another for the other switch so it has access to our primary network.
As we have no direct access to the Windows 10 Lab, we will need to communicate via VNC (Tiger VNC) as illustrated in the topology. In this case, I created some IP tables rules to forward VNC traffic to the Windows 10 Lab. So connecting to the Remnux host (10.10.x.x) will forward the session to 192.168.56.x. You can find the IP tables rule under the Host Configuration section of this article.
The Windows 10 Lab has no real internet connection, so it should never be connected to the internet, especially during / after analysis. Therefore, this host has only 1 adapter. The Remnux host is the only machine with direct communication.
The Remnux host however has 2 adapters, one for the isolated network and another for our internal network. This will act as the router and DNS server so all traffic routes through this machine, allowing us to capture and analyse anu network traffic. This will also simulate a real network with multiple open ports so the malware lab thinks it is communicating to other hosts and the internet.
This section will describe how each host has been configured.
Windows 10 Lab
This lab will be running the samples. You can choose any OS but I recommend Windows 10 as it is the most current and popular OS at the moment. Choose an environment which your desired malware can run in.
We will need to connect to this host somehow so make sure to install and run a TigerVNC server. You can find TigerVNC binaries here:
We will also need some tools for the analysis, so we can use “Flare VM” to install a bunch of helpful analysis tools on our machine. You can find the git repo here:
Instructions for runnning the powershell script are as follows:
1) Open powershell window as administrator 2) Allow script execution by running command “Set-ExecutionPolicy Unrestricted” 3) Execute the script by running “.\install.ps1”
I have also added a few utilities such as office tools to open Word documents or PDFs and extra analysis tools to my liking, in particular “command watcher” which I really like using, as it can intercept and process commands when executing malware. I highly recommend all the tools you want are installed before you make a snapshot and stop internet connection to the machine.
We need to allow the malware to run interupted so we need to remove as much security measures as possible on the Windows 10 machine. Disable the firewall and turn of Windows defender.
Once you are happy with your setup, take a snapshot of the virtual machine. This is an important part! Once you have finished your analysis, you want to revert to a fresh image to wipe all traces off the instance.
The Remnux host is primarily used to act as a router and a communication bridge to interact with our lab.
You can use any Linux OS, I chose Remnux as it has a lot of pre installed analysis tools so I can analyse any network traffic. I also host a webserver on here to allow malware uploading which both the Windows 10 Lab and any machine on the internal network can access. I find this an easy way to transfer any files over.
In order to interact with this machine, I enable SSH as most of the uses I have are CLI based.
It must be running fakedns and inetsim to simulate an internet connection as well as some open ports.
Here is the iptables rule I used:
sudo iptables -A PREROUTING -t nat -i ens33 -p tcp -m multiport --dports 5900,5901,5902,5903 -j DNAT --to 192.168.56.x
Replace the IPs accordingly and use whatever your interface is called instead of “ens33”.
I simply deployed the latest .ova of Remnux on ESXI. Keep this updated as this is also connected to our main network.
You should be able to test your setup once everything has been configured correctly. The Windows 10 machine should be able to ping domains - try pinging google.com while running fakedns on the Remnux host. You should see a query for google.com. However, if you try and visit that domain it will not show the actual site.
Here is a repository of live malware you can try and play with:
For transferring the malware over, have them transfered to your Remnux machine and downloaded from Windows 10 through HTTP or other. As mentioned before, I set up a simple Apache webserver where I put my samples in /var/www/html/uploads directory so I can access http://remnux.ip/uploads from the lab.
Have fun :)