Motivations
- When analyzing malware we often times need a safe environment to run it in, kind of a sandbox that even if it tries to damage the system it will occur in a sandbox.
- Usual requirements
- Windows and Linux VMs
- Set of preinstalled tools
- Usually FlareVM and Remnux are used
- For it to be secure it should be
- be isolated from the Internet
- allow Windows ↔ REMnux communication only
- be easy to reset to pristine state
- protect your host machine and network
Network setup
Adapter
- Configure all virtual machines to use a Host-Only Network Adapter.
- This allows VMs to communicate with each other while preventing direct access to the internet. DO NOT use
- Bridged adapter
- Wi-Fi passthrough
- USB network adapters attached directly to VM
- VPN inside VM
- shared physical NIC These configurations provide ways to connect to internet which increases the risk of malware communicating externally or infecting local network. Host only adapter doesn’t guarantee complete isolation. Malware can still escape through
- Hypervisor vulnerabilities
- Misconfigured host services
- Zero-days