Why you need you a Malware Analysis Lab and How to build it

Threats are one of the most challenging topics in the Information Security field and the shortage of qualified personal makes it even harder for companies to keep their information secure and their assets under control.

If you want to understand how they work so you can define the your defensive strategy you’ll need a place where to analyse them. Hence the importance of a secure environment where to research, learn and figure out the best way to stop them.

As you can imagine, there is not one size fits all for this, and you’ll have to figure out what might work best for you, or in some cases you’re organisation. To help some folks who might be trying to figure this out, I’ll share some of the setups I use and the reason for it.

Why do you need a Malware Analysis Lab?

A Malware Analysis Lab can help you to:

  • Decrease risk of infection
  • Control what gets in an out your network
  • Increase your analysis speed
  • Help you build a framework
  • Help you to identify TTP, and IOC
  • Have some fun (CTFs, CrackMe, Testing, Exploiting and more!)

How to build it?

The process of building your own Malware Analysis lab will start with you figuring out your needs, and requirements for setting it up. Despite of your specific needs on analysis machines it will be pretty important for you to have some dedicated systems with tools to control, analyse and safeguard your environment, even if it’s virtualised as mine.

Some of the questions that will help you to clear your mind?

  • What type of systems do you need? Think about Windows, Linux, OSX or even mobile OS. If it’s for learning I’d recommend to start with Windows and Linux. If it’s for work, try to think
  • What tools do you need? There are lots of tools out there, you will need to try a bunch of them to figure out what works best for you.
  • What do you want to achieve? Just think why are you building this?

Step 1. Your network

One of the most important steps of building your own lab is to define it’s network. This step is more important than many people think and here are some of the reasons why:

  • You need to control what gets out and what gets in.
  • You need to know your network to identify uncommon patterns or connection attempts.
  • You need to intercept traffic between your Analysis systems and the Network.
  • You want to isolate analysis systems from other computers.
  • You don’t want to infect yourself or people who live/work with you.

Based on your own resources you might have dedicated systems for this, even a dedicated network in your house for playing with all of this. If you’re just starting because you want to make your way into the Information Security world and specifically in Malware Analysis, you can start small and then grow based on you needs. Think ahead, but not to far away.

What I would recommend is to get some pen and paper or a scratchpad, and choose your favourite private network address spaces so you assign static IP addresses to each one of you systems. The reason I recommend doing this is not to f**k up your mind when you start collecting Network information and you try to figure out to which systems did that belong to.

Another important step here is to keep in mind that you’re going to need a dedicated machine to control your network traffic and to act as a gateway for your lab. Here we’ll see some options as Kali Linux or REMnux, (hint hint I have both).

Step 2. Virtualization?

If you don’t have a few spare machines, a switch, and a dedicated physical space for this, or you simply want to carry your Lab with you whenever you go you’ll need to use some Virtualisation Software. In this space there are a few options, but I’d recommend to stick with VMWare or Virtual Box (free).

Why? I like both, if you don’t mind spending a few bucks you can go for VMWare Workstation. Virtual Box is good enough for the price you have to pay (it’s free), and you can customise a lot of things. Some folks would even prefer Qemu, that it’s also free and pretty good.

Virtualisation software will allow you to host all of you lab in a single machine (I’d recommend having 16 GB of RAM), and another feature that is extremely handy are snapshots. This will allow you to revert the state of your machines to a clean state, so you can start an analysis over an over again, pretty useful for keeping track of your work on long analysis.

If you’re using Virtualisation software, how you set up your virtual network is more than important. You have three options for your machines:

  • Bridged (Do not use)
  • NAT
  • Host-Only

By no means use Bridged mode, this can expose your personal network to threats, and you don’t want to infect anybody else systems. Host-Only will only communicate your virtual system with your host machine, you don’t want this either.

What you need to setup is a NAT Network, and I’d recommend you disable DHCP so you can stick to your design. If you want a more detailed setup you can check in Virtual Box documentation here.

Step 3. Analysis Machines

If you’re going to analyse malware you’ll need different systems where to run your samples and execute the tools. You might also have to consider places where to do Static and Dynamic Analysis.

For each one of the system you choose, you’ll have to follow some simple steps to set them up.

  1. Install the Operative System and Security updates(Optional to install Virtual Machine Tools or not)
  2. Install software you might need(Browsers like Chrome or Firefox, Office Tools, Email clients, etc)
  3. Install analysis tools. For Windows you can check Flare VM to automate some of it.
  4. Set up Network config.
  5. Save a Snapshot in a clean state.

These simplified 5 steps will help you to set up the machines you’ll need to move forward on your analysis. Regarding the Operative System, some options I’d recommend you to have include

One thing you can add to the list would be a Virtual Machine with OSX, or Android, but with this current setting you’ll be able to analyse a wide set of threats in a controlled environment.

With three VMs for dedicated Malware Analysis you’ll have more than enough to start. I would recommend you to also have an easy exploitable machine, in case you want to try out something specific.

I’ve mentioned before about REMnux and Kali, and why one of this has to be your Gateway. Both are extremely useful for security, REMnux is a dedicated system for Malware Reverse Engineering and comes with a tons of handy tools for this purpose. Kali is a Linux distro dedicated to Penetration Testing and Ethical Hacking, with a great number of tools and for offensive actions can be more than handy at specific actions needed during your analysis.

For a start, and during Malware Analysis activities REMnux should be your gateway. This option would allow you to sniff network traffic outside from your analysis machines and also control it.

If you decide to have both options, REMnux and Kali, these should be you only machines with Internet access. You can achieve this by adding more than one Network Card to these Virtual Machines:

  • NAT Network defined in Step 1.
  • NAT Network with Internet access

This later network card will allow you to provide Internet access to your analysis machines when needed and you’ll be less prone to expose yourself with the malware samples you’re analysing.

Step 4. Testing your environment

Before diving in your analysis of malware samples, you’ll need to spend a few moments checking that all your setups are correct. This would mean:

  • No analysis machine should have access to Internet or your home/work network. You should be able to control this over your Gateway. Turn it on and off so you can get familiar with the process.
  • Make sure that all machine have a Snapshot in a clear state. You should define how often will you update them to install security patches, new software versions and other caveats. Doing this once a month, or once every two months can work.
  • Turn all your machines on and run a network scan to test if everything is working properly.

Step 5. Start your Malware Analysis

Up to this stage you’re all set, you can pick any sample you’ll like to start with, turn on your machines and begin to internalise yourself with the tools, systems and your brand new environment.

If you don’t have any sample, or you’re looking for a good set of examples to start with I would recommend you to to take a look at theZoo, a Github repo with over 170+ samples of different families for you to look at. Beware, this is live and dangerous malware. So be sure to properly handle it.

Conclusion

Malware Analysis can be hard, but it will be fun. It’s not only running samples and disassembling code, and you’ll expose yourself to a lot of different technologies, architectures and challenges over time. There is a great need in these capabilities in the market and plenty of sources where you can learn from.

The best way to keep up is to continuously try new things and look at new samples, and the best way to be effective is to have a proper environment where to do all of this.

Happy hunting!