Category Archives: Updates

Building a virtual machine lab for malware analysis

Posted on 2011-04-16 | Leave a comment

'Inside the lab' by -Renegade-

Due to my renewed interest in malware analysis, I’ve built a virtual machine lab at home. My newest desktop system runs an AMD Phenom II 6-core processor with 16GB of RAM and Ubuntu Linux 10.10 (for now), so it does a great job as a host for all the little systems where I can perform analyses and sacrifices.

I chose to use VirtualBox over VMware Player primarily because it allows me to use multiple snapshots with a system without having to pay anything. Also, I hadn’t used it before this project, which meant something else new I could learn.

Right now, I have the following VMs loaded in the lab:

  • OpenBSD: As discussed recently, I wanted to experience again all the love, hate, sex, and pain from my old days. Actually, this system hasn’t gotten used in any “production” sense, but I hope that changes soon-ish.
  • REMnux: A Linux distribution dedicated to reverse engineering malware, REMnux has lots of great tools pre-configured for use in a project. I’ve only started to scratch the surface of what it can do, but already the default install of inetsim (with some extremely minor configuration tweaks) came in handy during a recent analysis for my day job.
  • SIFT: Like REMnux, I view the SANS Investigative Forensic Toolkit as a sine qua non for any forensic analyst’s toolbox. It has a great setup for The Sleuth Kit and Autopsy Browser and lots of other tools available.
  • Windows 7: I primarily use this as a sacrificial goat when analyzing malware. I’ve done nothing to it past the default install and operating system updates. I did, however, run md5deep on it, so that I have a complete hash set of known good files. That seems like a good project to make available publicly, but I’d like to put some thought into how I should do it.
  • Windows XP: Actually, I keep two trees of this system. One functions precisely like the Windows 7 install, albeit with Firefox installed, something I should probably remedy. I have the md5deep output for it as well. The other serves as a test bed for debugging and any analysis tasks that require access to Windows. Right now, I’ve built it according to Gray Hat Python but I will likely add to it as time progresses.

In the next couple of weeks, I’ll build something similar at work but applying the lessons I’ve learned here. Those lessons, however, will have to wait for another post, because I haven’t figured them all out yet.

→ Leave a comment

Posted in Updates

Virtual OpenBSD

Posted on 2011-04-03 | 3 Comments

'Through the dust and ashes' by Carl JonesHey, OpenBSD. Haven’t seen you in a while, how’s life treating you? Say, you’re looking good these days. Guess Theo hasn’t been too rough on you, eh?

What? Windows? No, we broke up a long time ago. You knew that was never going to go anywhere, right? Everybody knew that, but I owed somebody a favor… anyway, that’s the past, baby.

So as long as we’re catching up, I’ve got this new project going, growing plants. I hear you have a bit of a green thumb yourself?

Listen, I have to run for a bit, but maybe I can Twitter you sometime?

I couldn’t stay away. OpenBSD just offers so much: a highly-audited base operating system, and a well-organized setup that just makes sense for sysadmins and hackers alike. So when my new virtual machine lab at home needed a host for a low-interaction honeypot setup, I immediately realized that it provided the perfect setup.

And honestly, who doesn’t love an update process that involves recompiling the entire operating system — kernel and userland?!

→ 3 Comments

Posted in Updates

Tagged , , ,