
Set up a malware analysis lab with VirtualBox, INetSim and Burp - swalsh
https://blog.christophetd.fr/set-up-your-own-malware-analysis-lab-with-virtualbox-inetsim-and-burp/
======
awirth
If you're interested in a more comprehensive source on setting up these sorts
of malware analysis labs I would recommend Tony Robinson's "Building Virtual
Machine Labs: A Hands-On Guide"[1] It is a very detailed guide and also
supports multiple hypervisors.

[1]:
[https://www.amazon.com/dp/B071G4SCB4](https://www.amazon.com/dp/B071G4SCB4)

~~~
strictnein
Yep, great stuff.

Also available in dead tree format:

[https://www.amazon.com/Building-Virtual-Machine-Labs-
Hands/d...](https://www.amazon.com/Building-Virtual-Machine-Labs-
Hands/dp/1546932631/)

------
Mister_Snuggles
This is pretty neat, however I wonder about the risks.

Is there any malware that detects that it's running under something like
VirtualBox and changes is behaviour? Are there any security exploits in
VirtualBox that malware could take advantage of to infect the host OS?

Regardless of the risks, this is still a neat way to analyze an unknown system
(whether a single program or a suite of programs that run across multiple
machines).

~~~
Dolores12
Get cheap baremetal cloud server. Pay hourly. Avoid all risks.(at expense of
cloud server provider :)

~~~
toomuchtodo
I wonder if there's a need for a malware tear down service; submit a JSON
request with the binary defined as part of the request, a spot instance spins
up, allows the malware to run, and then all of the MITM network traffic and
the instance memory snapshot is dropped into S3 for forensic exploration and
collaboration.

Forensic malware analysis as a service.

~~~
Kalium
That's a very interesting idea! Certainly it's an interesting take on the
sandbox, and might allow for access to analysis tools even for those without
the required tools or skillset. Malware is a threat to us all, and anything
offering to democratize analysis is well worth considering.

With that said, I can perhaps see a couple of potential sources of additional
complexity. First, a spot instance can't really offer the required level of
sandboxing. A typical analysis scenario exploits the privileged position a VM
host has over the guest to further analysis and safety. Attempting to do so
from a peer position is more difficult and may put you in a more limited
position to observe all potential behavior as you lose the ability to easily
fake DNS, alter the clock, and more.

Second, it's possible that cloud hosting service providers might run services
designed to look for and shut down malware-infected hosts. It would certainly
be in their general interest and probably in the general interest of most of
their customers. In such a scenario, it's very possible that a service like
that you describe might find all analysis attempts shut down instantly rather
that be able to even attempt to gather useful behavioral evidence.

Your idea is great! It's well worth exploring and holds amazing potential. It
may perhaps be best done with the above caveats in mind.

~~~
toomuchtodo
Thank you! I'll explore the use of ephemeral VPCs for this tonight; that
should allow for the level of network isolation (and possibly traffic routing
through another VPC with network traffic inspection tooling) necessary.

~~~
sillysaurus3
I'd like to work on this. Do you want to collaborate?

I think running it on e.g. DigitalOcean is fine. In particular, "Playing with
malware in public is not something to be done lightly, and potentially very
dangerous (to others as well as you!)" is rather overblown. Doing it locally
via Docker, on the other hand, is asking for trouble. Docker isn't a security
mechanism.

We could offer a service where we can spin up a honeypot image (e.g. a fairly
typical Windows installation + a few installed apps and some browsing
history). The deal is, you can submit your malware to us, we'll spin up the
image, run the malware, and provide real-time feedback about what it's doing.
One strategy for pricing would be $hosting_fee*markup per hour.

Honestly it's one of the better ideas that's been tossed around, so if you're
considering this as potentially more than a side project, hit me up.

~~~
Kalium
Indeed! It's such a great idea, that services such as
[https://malwr.com/](https://malwr.com/) already exist! As do VirusTotal and
several other sandbox-driven services. With such services, the deal is that
you submit your malware, analysis is performed in a variety of ways, and
results are offered.

You're _absolutely right_ that Docker isn't a security mechanism. It might be
worth considering why it might have been suggested, and what local
virtualization offers that AWS or DigitalOcean might not in a context where a
typical analysis toolset has been dismissed out of hand.

For my own part, I've engineered services that offer precisely the featureset
you've described. We found compelling reasons to not do so on AWS or similar.
While your conclusions may obviously differ substantially, it may be wise to
arrive at them with full knowledge of why others made their decisions.

~~~
sillysaurus3
If I'm mistaken, then just point out why. I'd rather know.

 _It might be worth considering why it might have been suggested, and what
local virtualization offers that AWS or DigitalOcean might not._

What does local virtualization offer that AWS or DO don't?

 _For my own part, I 've engineered services that offer precisely the
featureset you've described. We found compelling reasons to not do so on AWS
or similar. While your conclusions may obviously differ substantially, it may
be wise to arrive at them with full knowledge of why others made their
decisions._

Such as?

I'm not doubting you, so please don't take it as such. On the other hand, if
you don't have time to describe your findings then no worries. I'll likely
rediscover the wisdom independently.

~~~
FreakLegion
I led the team for WildFire (the most widely used commercial sandbox and, I
believe, the first one in the cloud) at Palo Alto Networks. If anyone from
FireEye or Lastline is around, maybe they'll chime in as well.

The design of the analysis system itself determines your deployment
constraints. For example, will you give the malware an open line to the
Internet? If not, you'll miss out on most of its activity[1], but won't be
limited in terms of hosting. If, on the other hand, you give the malware free
reign, AWS wants no part of that (we tried it).

1\. See the (speculated) anti-analysis kill switch in WannaCry. This sort of
thing is common. But more fundamentally, malware also tends to work in stages,
and often won't do much if it can't phone home.

------
616c
It is no surprise to see articles and lots of comments. I was in a class where
people wanted to set up Cuckoo Sandboxes with the controller system in a VM as
well, not just malware testbeds and the the controller system in Python
installed system wide in the host.

It makes this stuff annoyingly difficult. I was also very very interested in
Drakvuf, a system which inspects the VM from the Xen host on the host side
with special shims for memory and OS introspection.

Anyone try Drakvuf yet?

------
r00fus
Life imitates xkcd? [https://www.xkcd.com/350/](https://www.xkcd.com/350/)

