Science

So like I, many of you are returning to your real world jobs after a hard weekend of “con life”.  As we settle back into our work weeks many of us will take the time to reflect on our experiences.  Who we met, what we heard, and what we learned.  Many of the things I am going to say may sound weird, may sound a little  old, and even may sound completely off the wall.

The first rule is Cardio! Yes… You will walk your ass off. There is no way else to say it. The con is a never ending sea of people. All moving to and from different talks. You will go upstairs, downstairs, sideways, and other ways… In the end it will be a blur.

Stay close to the Con! Not always a plus due to price, but when you’re drunk at 3am, trying to make your way back to your hotel room… It’s a huge bonus…

Know your limits… This is a big one. Each con is a little different. Some are one day, and other last 3 days. Know when you are done. Get a nap. Eat something. Take a mental break. We meet so many new people, we see so many new and exciting things, and that we often end up Short-circuiting ourselves.

Participate!!! This is a huge one… The con will come and go, and the talks will happen. Some of the best talks I have ever experienced, did not happen in the talk itself. They came after the talk. It’s typical that there are meetups after the con. Here is where the conversation flows freely. No format. No time limits… Listen… Ask questions… Share your ideas or thoughts.

Make a Friend!!! Not everyone who is at the con, has been there before. If you see someone standing alone. Strike up a conversation. You never know the history of the person you’re going to meet. Each year I am introduced to some very exciting people that are doing some very exciting things.  For me the con is about meeting people… not just new people, but people that i have communicated with over social platforms during the year, but they are not in the same area as i am.

But for whatever reason you’re there, whatever you’re doing, and whoever you meet… remember it… Leave with a sense that you were part of something… That something happened….

See you at the next Con!!!

Digi…

Maybe it meant something. Maybe not, in the long run, but no explanation, no mix of words or music or memories can touch that sense of knowing that you were there and alive in that corner of time and the world. Whatever it meant. – Hunter S. Thompson, Fear and Loathing in Las Vegas

Getting a malware lab installed is one thing, but configuring it to be useful is a whole undertaking in itself. One of the first problems we run into when setting up a proper lab environment is simulating the internet. Sure a network will allow each computer to talk to another but what about those pesky URLs, who is going to do all the resolving? It can of course be easily simulated with scripts and custom applications but let me tell you something. As a programmer for the last 20 years the one most annoying thing to have to do is reinvent the wheel. That’s EXACTLY why they have frameworks for these types of things. That being said, to simulate the internet from 4chan to google, I am going to use a framework called InetSim. This collection of applications included can emulate everything from IRC to basic HTTP.

To perform a quick run-time analysis of the network behavior of unknown malware samples, we were in need of a tool to simulate internet services which are commonly used by malware in our laboratory environment. We started off with a bunch of home-grown Perl scripts together with specially configured server service implementations like Apache, Postfix, dnsmasq and ntpd, but we were not happy with this because of a lot of disadvantages resulting from the combination of many programs (e.g. problems with correlation of log data).

While talking to other security analysts, we noticed that there is definitely a need for a comfortable single suite to simulate different internet services with common logging and centralized control functions. So we decided to start the project ‘INetSim’ to develop such a suite.

Nice piece of awesomeness yes? Ok, so now we have to prepare a VM for it to be installed too. Wait… you mean there are VM ready versions of Linux that I can just download and run? Aye there is, and its called TurnKey Linux. TurnKey Linux is great for just these types of projects, it can be downloaded and ran in such short time that all one must really pay attention to is the configuration, which is really, really, really easy. Now the version of Debian Linux that I prefer is Jessie, and unfortunately v 14.0 of TurnKey Linux is in ISO format only.  Its ok though, soon it will be available in one of the many other formats that TurnKey Linux is known for so just enjoy the ease of use and install your VM already.

Install TurnKey Linux

• Memory 2GB
• HDD 40GB
• Network Adapter NAT (Will change to our Malware Lab Network after updates and software installs)
• TurnKey Linux Core

So, once a VM is created and you fill in your specific details, I chose these settings because I wanted some wiggle room to add shared directory space so it seemed like a good idea.  It first asks you for a root pw, then for the Hub services API key, I personally skip it since I backup my own stuff but your free to do what you want. They also ask you to sign up for their security updates but im anal about updates so no need to tell me! Same with the auto install of security updates. After that you simply quit the configuration menu are your presented with a login prompt to your newly installed and updated TurnKey Linux box.

One of the reason I like Debian so much is that they usually have some version of software I am going to use in their repository. Now it working is something completely different but hey, at least they try.  Knowing that most if not all the dependency’s I was going to need were in the Debian repo it was time to add the INetSim repo and get this beast running!!

nano /etc/apt/sources.list.d/sources.list

and add the following line:

deb http://www.inetsim.org/debian binary/

Your going to want to install the signature key also so run wget then update Apt-get

wget –O – http://www.inetsim.org/inetsim.org-archive-signing-key.asc | apt-key add –

apt-get update

If everything goes according to plan you simply have to install INetSim now

apt-get install inetsim

That gets her installed but we need to edit some configuration files if we want her to purrrrr. The first thing is that since this box’s sole purpose is to fakes the net, we need to ensure that she starts up on boot.

nano /etc/default/inetsim

That will open up the configuration file, and we need to change ENABLED from 0 to 1.

The next thing we want to do is configure the actual main configuration file to enable services and setup our dns.

nano /etc/inetsim/inetsim.conf

As you can see it has a lot of services turned on, I personally will leave them that way and simply play with our DNS. Our IP Address is local so I want to make sure we bind to it instead of the default localhost to 192.168.197.133.

Next we are going to uncomment the dns_bind_port and dns_default_ip, changing the latter to your static IP.

There are tons of things to configure and to go over each one would be crazy, the documentation is available and the system is pretty well commented. So, after its been nice and configured to the way I want her, its time to configure my malware test platforms to talk to her and test it out. If everything is working, and it should be since the system is made to be easily configurable, you can type in www.foo.com and should get a nice simulated internet page.

In order to get the fix my ever increase for knowledge calls for I decided to add a malware lab to my development box. The development box is setup to run the tools of my trade which includes a web browser and Notepad++. Anyone developing PHP applications with more is spoiled. So here I have this box loaded with ram and hard disk space which will never be touched if I continue at the rate I am now. So I decided that I might as well add some functionality to it.

When considering what to put on this box (named foxtrot) I needed to know exactly what I needed out of him. I knew I wanted him to be safe in my studies and that I wanted to analyze malware so I needed to ensure  I had not only the tools but the network setup. So my check list started.

• Must be on an isolated network.
• Must simulate multiple Operating Systems.
• Must be able to simulate Internet availability so that C&C calls and downloads can happen.
• Must be able to start fresh once analysis is complete.

From that simple list I figured out that simply installing a basic set of Operating Systems and some cool tools I could get EXACTLY what I needed. Here are my answers to the above needs.

• Multiple versions of windows VMs. ( Windows XP, 7, 8.1)
• A Linux VM. ( Debian 8 Jessie )
• Linux Malware Analysis Platform. (Remnux)
• Windows Malware Analysis Platform. (IDA Pro, Wireshark, PeStudio, CaptureBAT, Process Hacker, Regshot etc)
• Simulated Internet. (InetSim)
• VMWare (Snapshots)

Lab Setup

The idea behind this setup is simple in theory. I wanted a full network that included both Windows and Linux environments but I have to keep them on an isolated network. That being said, I also had to have the ability to monitor network traffic and have isolated space to host my tools. I decided that both the Remnux box and the extra Windows 8 box would be just that. Both could be connected/disconnected from the network as needed and together allowed me to host all the tools I would need in a very safe manner.

Setup / Install

First things first, I need to isolate a network. For my virtual manager I am using Workstation 12 Pro, however just about any VM will do as long as you follow the basics of isolation! So since I am using VMware workstation I will use screenshots of those.

 So once you open the Virtual Network Editor, you can create a new, safe network to connect your VMs to.  If you see that the Add Network option is greyed out, make sure your running VMWare as administrator, it needs the permission to create new networks. Click on Add Network and choose an available network (in my case I chose VMnet5), fill out the settings you want and click OK. A bunch of stuff will happen so be patient and the install will go fine. As you can see its a pretty normal network, nothing special about it.

Ensure you have the Host-only clicked, the local DHCP on and the virtual adaptor. The subnet and mask are up to you to choose but ultimately will depend on just how big a virtual network you want to have. Once done, its time to install the Operating System. Keep in mind that NONE of the systems that you plan to have infected should have the guest tools installed, this will limit the chances of your VM being discovered by the malware your studying (this technique is actually becoming less common since so many people now run an operating system in a virtual machine so yay !) and its always best to be safe. When installing your Operating System always make sure that you change the Network Adapter settings to Custom and choose your newly made Host-only network. We don’t want these machines all that updated. If you DO want to upgrade you can always upgrade first then switch networks but its not something I would recommend. The more vulnerable your VM boxes the better chance the malware or virus will stick.

Once all your Operating Systems are installed its time to move on to installing all the tools. Your going to want to keep your two analyzing boxes up-to-date since you wouldn’t want anything to get ahold of them and your going to want to make sure you have decent firewalls installed. Once done you can spin up your network, ensure they can all talk to each other and then take snapshots to ensure that after each infection you can just revert back to a clean system.  Now just sit back, infect a machine and begin your knowledge quest. Never stop learning!