Why you need you a Malware Analysis Lab and How to build it

Pablo Ramos
Dec 27, 2017 · 7 min read

Threats are one of the most challenging topics in the Information Security field and the shortage of qualified personal makes it even harder for companies to keep their information secure and their assets under control.

If you want to understand how they work so you can define the your defensive strategy you’ll need a place where to analyse them. Hence the importance of a secure environment where to research, learn and figure out the best way to stop them.

As you can imagine, there is not one size fits all for this, and you’ll have to figure out what might work best for you, or in some cases you’re organisation. To help some folks who might be trying to figure this out, I’ll share some of the setups I use and the reason for it.

Why do you need a Malware Analysis Lab?

A Malware Analysis Lab can help you to:

How to build it?

The process of building your own Malware Analysis lab will start with you figuring out your needs, and requirements for setting it up. Despite of your specific needs on analysis machines it will be pretty important for you to have some dedicated systems with tools to control, analyse and safeguard your environment, even if it’s virtualised as mine.

Some of the questions that will help you to clear your mind?

Step 1. Your network

One of the most important steps of building your own lab is to define it’s network. This step is more important than many people think and here are some of the reasons why:

Based on your own resources you might have dedicated systems for this, even a dedicated network in your house for playing with all of this. If you’re just starting because you want to make your way into the Information Security world and specifically in Malware Analysis, you can start small and then grow based on you needs. Think ahead, but not to far away.

What I would recommend is to get some pen and paper or a scratchpad, and choose your favourite private network address spaces so you assign static IP addresses to each one of you systems. The reason I recommend doing this is not to f**k up your mind when you start collecting Network information and you try to figure out to which systems did that belong to.

Another important step here is to keep in mind that you’re going to need a dedicated machine to control your network traffic and to act as a gateway for your lab. Here we’ll see some options as Kali Linux or REMnux, (hint hint I have both).

Step 2. Virtualization?

If you don’t have a few spare machines, a switch, and a dedicated physical space for this, or you simply want to carry your Lab with you whenever you go you’ll need to use some Virtualisation Software. In this space there are a few options, but I’d recommend to stick with VMWare or Virtual Box (free).

Why? I like both, if you don’t mind spending a few bucks you can go for VMWare Workstation. Virtual Box is good enough for the price you have to pay (it’s free), and you can customise a lot of things. Some folks would even prefer Qemu, that it’s also free and pretty good.

Virtualisation software will allow you to host all of you lab in a single machine (I’d recommend having 16 GB of RAM), and another feature that is extremely handy are snapshots. This will allow you to revert the state of your machines to a clean state, so you can start an analysis over an over again, pretty useful for keeping track of your work on long analysis.

If you’re using Virtualisation software, how you set up your virtual network is more than important. You have three options for your machines:

By no means use Bridged mode, this can expose your personal network to threats, and you don’t want to infect anybody else systems. Host-Only will only communicate your virtual system with your host machine, you don’t want this either.

What you need to setup is a NAT Network, and I’d recommend you disable DHCP so you can stick to your design. If you want a more detailed setup you can check in Virtual Box documentation here.

Step 3. Analysis Machines

If you’re going to analyse malware you’ll need different systems where to run your samples and execute the tools. You might also have to consider places where to do Static and Dynamic Analysis.

For each one of the system you choose, you’ll have to follow some simple steps to set them up.

These simplified 5 steps will help you to set up the machines you’ll need to move forward on your analysis. Regarding the Operative System, some options I’d recommend you to have include

One thing you can add to the list would be a Virtual Machine with OSX, or Android, but with this current setting you’ll be able to analyse a wide set of threats in a controlled environment.

With three VMs for dedicated Malware Analysis you’ll have more than enough to start. I would recommend you to also have an easy exploitable machine, in case you want to try out something specific.

I’ve mentioned before about REMnux and Kali, and why one of this has to be your Gateway. Both are extremely useful for security, REMnux is a dedicated system for Malware Reverse Engineering and comes with a tons of handy tools for this purpose. Kali is a Linux distro dedicated to Penetration Testing and Ethical Hacking, with a great number of tools and for offensive actions can be more than handy at specific actions needed during your analysis.

For a start, and during Malware Analysis activities REMnux should be your gateway. This option would allow you to sniff network traffic outside from your analysis machines and also control it.

If you decide to have both options, REMnux and Kali, these should be you only machines with Internet access. You can achieve this by adding more than one Network Card to these Virtual Machines:

This later network card will allow you to provide Internet access to your analysis machines when needed and you’ll be less prone to expose yourself with the malware samples you’re analysing.

Step 4. Testing your environment

Before diving in your analysis of malware samples, you’ll need to spend a few moments checking that all your setups are correct. This would mean:

Step 5. Start your Malware Analysis

Up to this stage you’re all set, you can pick any sample you’ll like to start with, turn on your machines and begin to internalise yourself with the tools, systems and your brand new environment.

If you don’t have any sample, or you’re looking for a good set of examples to start with I would recommend you to to take a look at theZoo, a Github repo with over 170+ samples of different families for you to look at. Beware, this is live and dangerous malware. So be sure to properly handle it.


Malware Analysis can be hard, but it will be fun. It’s not only running samples and disassembling code, and you’ll expose yourself to a lot of different technologies, architectures and challenges over time. There is a great need in these capabilities in the market and plenty of sources where you can learn from.

The best way to keep up is to continuously try new things and look at new samples, and the best way to be effective is to have a proper environment where to do all of this.

Happy hunting!

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store