OFFICIAL SECURITY BLOG
April 27, 2012 | BY Adam Kujawa
Security Level: Medium
Purpose: To hide who you are while performing research through your browser AND protecting your host system from drive-by download attacks.
What you’ll need:
So you came across a few really suspicious links during your anonymous research, you want to click them in a safe environment so you would use your analysis VM. You could use the Tor Browser again; however you want to be even more secure with no chance of anyone tracing you.
What are we doing?
We are going to connect our virtual analysis system to the JanusVM using a VPN (Virtual Private Network) connection and gain full anonymity and security while still protecting our host system.
Q. How does JanusVM work?
A. JanusVM is powered by VMware, built on the Linux 2.6.14 kernel, and brings together openVPN, Squid, Privoxy, and Tor, to give you a transparent layer of security and privacy that is compatible with all your TCP based applications. DNS request are also passed through Tor so even your ISP doesn’t know what web site you are looking at. All your web traffic is passed through squid and privoxy to filter out unwanted internet junk & prevents your web browser from leaking information about your computer system.
You can read this again @ www.janusVM.com.
Q. What is a Virtual Private Network (VPN)?
A. A Virtual Private Network or VPN is a secure network that is usually used to connect a remote user to a local network through a public telecommunications infrastructure, such as the internet. Most of the time, the connection from one end to the other requires authentications and various types of encryption technologies to make the connection secure, for this reason it is difficult to monitor or “sniff” the traffic.
Here is another fun graphic from Wikipedia!
As you can see from the diagram, the various offices and the remote users are connecting through the VPN over the internet, so that it appears to the user as if they are on the local network at the office itself. Check out this site for more info on VPNs:
Q. What is a Virtual Environment, Virtual Machine (VM)?
A. Honestly, if you are not sure what a VM is, you might not want to be looking at this part of the tutorial. However, since I am such a great guy, I will explain it to you. A Virtual Machine is a “computer inside of a computer”. For example, using a virtual environment application, like VMware, I can have my base system or “Host” system, be Windows 7. Then I can install Ubuntu inside of VMware and now I have an operating system running inside of an application on my operating system. The virtual machine is completely separate from the host system and is usually referred to as the “guest” operating system. VMware takes care of all the hardware drivers and other essential system components that an actual hard-case system would have. Here is a visual of what this looks like:
For my purposes, I use a virtual machine to perform malware analysis because I can execute malware inside of the virtual machine without any fear that it can break out of the virtual environment application and infect my host system. Other benefits of using a VM are the use of “snapshots”, which allow you to create an instance of the operating system in a certain state, and then be able to revert to that state if you no longer want any of the modifications you have made to the operating system. In terms of malware analysis, I would have a “clean” state for my VM and after running malware and analyzing it, I can revert to that clean state and it would be like I never ran the malware at all. So to finish this up, we are using a virtual machine to perform open source research on malware authors and distributors because the possibility exists that if we used our host systems, they would be infected by malware, which is something we really don’t want to happen. If we get infected through the VM, we can just revert to a clean state again. Check out these sites for more information on VM’s:
Q. Is there a video on how to setup the JanusVM VPN?
A. There sure is! The Janus people made it themselves! You can download it from their website or watch it on YouTube, here is the link:
By employing the use of virtual machines and using JanusVM to make your connection anonymous and secure, there should be no site on the internet which you should be afraid of going to. However, there are some drawbacks to using this method rather than the next one we will discuss, for example when performing malware analysis, you will want to anonymize your traffic, at the same time you want to observe what kind of traffic the malware is sending and receiving. Well if you are connected to a VPN on your analysis system, you won’t see anything but traffic moving through the VPN, encrypted! The next section solves that problem however it does require a little bit of technical know-how.