Security Level: High / Hardcore
Purpose: To hide who you are while performing research through your browser AND protecting your host system from drive-by download attacks AND being able to perform dynamic malware analysis and capture malicious traffic moving between the malware and the C&C. (Whew, that’s a lot of ANDs. =D)
- Hide your IP
- Protect the host system by running in a virtual environment
- Execute malware in a safe environment /w traffic capture
- One time setup, no Windows VPN necessary
- Ability to revert to snapshots, restart the system without losing anonymity.
- It’s downright difficult to set up if not familiar with the technology
- Need more things to start with than previous solutions.
- Requires occasional VPN re-initialization / DHCP re-connection
What you’ll need:
- VMWare Player – https://www.vmware.com/products/player/
- JanusVM – http://janusvm.com/
- Another Virtualization Application (Vmware / VirtualBox / etc.)
- An operating system to run on said virtualization application
- Note: If you are already a malware researcher, chances are you are already running some kind of virtual environment for analysis, etc.
- A Linux virtual environment
- Your Linux system will need the following utilities:
- Note: You can use whatever you want but in this tutorial I use a specific VMware image of Mint Linux, it is available free here:
WARNING: The information included in this tutorial could be used for malicious purposes in the wrong hands, please expect to be yelled at by people who think you are a bad guy if you start talking about this or asking questions. Also, please use responsibly.
Hello everyone! Today I am going to give a detailed tutorial on how to make the traffic originating from your Analysis VM completely anonymous! I spent a lot of time searching the nets for comprehensive explanations on how to accomplish this goal for the novice Linux user with non-expert level knowledge of networking; unfortunately I found nothing but little bits and pieces here and there so I decided to compile it all in one neat tutorial!
First things first though, I need to tell you why it is so important to keep yourself anonymous when dealing with malware and in general when performing research. Here are a few reasons:
- So you don’t get blocked – When performing malware analysis, testing out new malware on live systems and generally being a pain in the ass for malware controllers, you might get noticed. The easiest way to stop your snooping is to block your IP and either pass it around to your buddies or use it for your next fun DIY botnet project! Think of it this way, we as malware researchers have so many lists for what domains are hosting malware, don’t you think the bad guys might have a similar one for IP’s of especially annoying researchers?
- So the bad guys can’t kill your network – There is a possibility that if you piss off the bad guys enough they will send their botnets to DDoS your ISP. OMG! Then you’re screwed and so is everyone else who uses your ISP, at least until its fixed =/
- So the bad guys can’t find you – While it seems silly that your IP might be singled out to be a sure sign that the bad guys are being watched, it might happen. If it did, the more extreme measure for the bad guys to take would be to do whatever they could to track you down and either try to ruin your life or scare you enough to back off.
I think those are enough reasons to make you crap your pants every time you decide to poke around at a known C&C (Command and Control) server without hiding yourself. ^_^
This tutorial is split into sections! (YAY!) The sections are:
Each section gives a tutorial, tips and technical explanations of ways to make your traffic anonymous at various levels, meaning how hardcore and secure do you want to be?
NOTE: None of these methods are capable of Anonymizing UDP packets, only TCP. Sorry =/