Malware Lab: VM Setup and AWS EC2

From Embedded Lab Vienna for IoT & Security
Revision as of 17:49, 12 March 2024 by Ikramer (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

The prerequisites for this guide are that you should have two virtual machine instances running on your hypervisor:

The idea of this lab setup is to be able to detonate live malware on the Flare VM, while using the Remnux VM to observe network traffic. It is also important that we make sure the network is isolated from our host system. The ways of accomplishing this vary depending on which virtualization software you are using. But you must definitely create a new virtual internal network, and then place both virtual machines inside this network. Make sure it is a Host-Only network (VirtualBox). Note that you will not have internet access within that network - so if you need to download any tools, you may need to temporarily move the VMs to a NAT network, download the tools, and then move them back to the Host-Only network.

In the Remnux VM, we will run inetsim to simulate network services such as DNS. Inetsim can generally impersonate any kind of network service, but we will be using it for DNS.

Configure Inetsim to impersonate DNS

To configure Inetsim to impersonate DNS, follow these steps:

  1. Open a terminal in the Remnux VM.

  2. Install Inetsim using the following command in case it is not already installed:

    sudo apt-get install inetsim

  3. Open the Inetsim configuration file using the following command:

     sudo nano /etc/inetsim/inetsim.conf

  4. Find the following line in the configuration file: #start_service dns and remove the comment (#) from the beginning of the line.

  5. Find the following line in the configuration file: service_bind_address and set the IP address to 0.0.0.0.

  6. Find the #dns_default_ip line, remove the comment (#) from the beginning of the line, and set the IP address to the IP address of the Remnux VM.

  7. Save the configuration file and exit the text editor.

  8. Start the Inetsim service using the following command:

    sudo systemctl restart inetsim

Prepare the Flare VM instance

In the Flare VM, we will detonate the malware samples and observe the network traffic using Wireshark.

Configure Flare VM to use the Remnux VM as the DNS server

To configure Flare VM to use the Remnux VM as the DNS server, follow these steps:

  1. Search for Ethernet settings in the Windows search bar and click on “Change adapter options”.
  2. Click on the network connection and then click on “Properties”.
  3. Select “Internet Protocol Version 4 (TCP/IPv4)” and click on “Properties”.
  4. Set the DNS server to the IP address of the Remnux VM.
  5. Click “OK” to save the settings.

Testing the lab environment

To test the lab environment, follow these steps:

  1. Test ping connectivity between the two VMs.

  2. Run the following command to check if the DNS server is set correctly:

    nslookup google.com

    The output should show the IP address of the Remnux VM as the DNS server.

  3. Run the following command to check if the network traffic is being captured by the Remnux VM:

     ping google.com

    Open Wireshark in the Remnux VM and check if the network traffic is being captured.

  4. Download a malware sample to the Flare VM and detonate it.

  5. Observe the network traffic in Wireshark in the Remnux VM to see if the malware is making any network connections.

IMPORTANT: Once you have it all set up, take a snapshot of the VMs. This way, you can restore the VMs to their original state after running malware samples. This can save you a lot of time and effort in the long run, as you won’t have to reinstall the VMs every time you run a malware sample.

Automated Deployment of the Lab Environment in the Cloud

If you don’t want to host the lab on your own machine, you can choose to deploy the malware lab on Amazon Web Services (AWS) - as shown later on in this article, the deployment process can also be automated using an IaC (Infrastructure-as-Code) approach with Terraform.

Prerequisites

Before you begin, you will need to have the following:

  • An AWS account
  • Terraform installed on your local machine (or use Windows Subsystem for Linux (WSL) if you are using Windows)

First, we need to manually recreate the Flare VM on AWS. In the case of AWS, FlareVM is best installed on a base Windows Server image. Be sure to allocate enough storage space for the VMs, especially for the Flare VM. For external access, you will need to use RDP to connect to the Flare VM. You might need to explicitly allow RDP access from any IP. AWS allows you to download the RDP file to connect to the Flare VM. AWS automatically puts a password on the Windows Server, which you can get by decrypting the password using the key pair you created when you launched the instance. Once you have the password, you can connect to the Flare VM using the RDP file.

Once connected to the Flare VM remote desktop, you need to go through the same steps as you would on a local machine to set up the Flare VM. Just use the provided scripts to install the tools and set up the environment.

After setting up Flare VM, you can use AWS to create an AMI (Amazon Machine Image) of the Flare VM. This will allow you to launch new instances of the Flare VM without having to go through the setup process again:

  • Select the AWS instance of the Flare VM in the AWS Management Console.
  • Click on “Actions” and then “Image and templates” and then “Create image”.
  • Give the image a name and description and click “Create image”.

To later be able to launch instances of the AMI using Terraform, you will need to create a new role in AWS:

  • Go to the AWS Management Console and search for “IAM”.
  • Click on “Users” and then “Add user”.
  • Groups: Create a new group and give it a name (e.g. EC-full-access). Under Permissions Policies, select “AmazonEC2FullAccess”.
  • Add the user to the group and continue
  • Create a Command-Line-Interface (CLI) access key and secret key for the user.

Now, you can continue with the Terraform deployment. For this, switch over to WSL or a Linux machine, as Terraform is not officially supported on Windows.

Update the repository and install Terraform, JQ and AWS-CLI using the following commands: 

sudo apt-get update

sudo apt install jq

# Installation instructions for Terraform can be found here: https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli

sudo apt install awscli

Configure the AWS IAM user using the following command:

aws configure

Enter the access key, secret key, region (use the specific AWS region your node is deployed in) and output format when prompted.

Create a new directory for the Terraform configuration files and navigate to it: 

mkdir malware-lab
cd malware-lab

For the Terraform configuration, there is a very useful Git repository that contains a Terraform template for deploying a malware lab on AWS. You can clone the repository using the following command: 

git clone https://github.com/adanalvarez/AWS-malware-lab.git

It contains a base version of the Terraform configuration for deploying the malware lab on AWS. To specify further details for your deployment, you need to create a new file called “terraform.tfvars” in the malware-lab directory and specify the following variables: 

{ 
    "environment": "malware-lab",
    "ami": "ami-xxxxxxxxxxxxxxxxx",
    "account" : "222222222222",
    "region": "eu-west-1",
    "enable_guacamole": false,
    "enable_inetsim": true
}

In this case, Guacamole is used to provide remote access to the Flare VM, and Inetsim is used to simulate network services. If you want to enable these features, you can set the “enable_guacamole” and “enable_inetsim” variables to “true”.

Now, you must check which version of Terraform is installed on your machine. You can do this using the following command:

terraform -v

Then, open the main.tf file in the malware-lab directory and change the Terraform version to the version installed on your machine.

In the instances.tf file, you need to change the following:

  • In the Linux instance for Inetsim, change the AMI id to a corresponding AMI id for Ubuntu Server 20.04 LTS.

Under network.tf, you also need to change the availability zone to the availability zone of your AWS instance.

Now, you can initialize the Terraform configuration using the following command:

terraform init

Then, you can deploy the malware lab using the following command:

terraform apply

This will deploy the malware lab on AWS. Once the deployment is complete, you can access the Flare VM using the RDP file provided by AWS. You can also access the Remnux VM using SSH.

The Terraform output will provide you with the public IP addresses of the Flare VM. Just like before, you can connect to the EC2 instance via RDP.

To destroy the malware lab, you can use the following command:

terraform destroy

This will destroy all the resources created by Terraform.

Conclusion

In this guide, we have set up a malware lab environment using two virtual machines: Flare VM and Remnux. We have configured Inetsim to impersonate DNS on the Remnux VM and set up the Flare VM to use the Remnux VM as the DNS server. We have also tested the lab environment by observing network traffic using Wireshark. Finally, we have automated the deployment of the lab environment on AWS using Terraform. This lab environment can be used to safely detonate live malware samples and observe their network behavior.

Retrieved from "https://wiki.elvis.science/index.php?title=Malware_Lab:_VM_Setup_and_AWS_EC2&oldid=14627"