Malware Virtual Test Environment: Fail-secure network isolation and VPN routing

There are many reasons you might need to isolate a PC or operating systems from a local network. For example, I often work on live malware and ransomware and I want to minimise the risk to the rest of my network.

Many types of malware (ransomware for example) will attack local network devices. As such, a live malware instance can compromise your internal network. It is essential that you protect yourself from the increased risk from the active infection inside your network.

Malware will also try to communicate with Command and Control (C2) servers. This communication can pass along all sorts of data and because the data comes from your local network, it can also reveal your real-world IP address. Perhaps not such a good idea when dealing with malicious actors.

Fail-secure network isolation and routing

When I do any sort of malware research or network shenanigans, I make sure I’m configured so my home and office networks are not accessible from my testing machines. Christophe Tafani-Dereeper wrote an excellent blog post with detailed instructions on the subject.

To protect my identity from malicious C2 servers, I like to add an extra layer of protection. I use an anonymising VPN provider and a fail-secure firewall configuration. This means if if the VPN disconnects, the test network drops too and my test machines don’t keep spraying network traffic out through my regular internet connection.

The best way to accomplish isolation is to route all anonymous traffic through an intermediate router. For example, a Linux box can be configured to ensure all simulated-network’s access is restricted to the VPN tunnel. Consequently, if the VPN tunnel goes down, the Firewall blocks all traffic to and from the ‘hidden’ machines.

Diagram of virtual machine routing and VPN configuration

Routing a Virtual Machine through a Linux router to direct all internal traffic over an anonymising VPN (click to enlarge)

Virtual machines and network connections

The easiest way to get multiple machines up and running quickly is to use a virtual environment. I find Oracle VirtualBox perfectly fine for this purpose.

The basic configuration is to run-up two virtual machines. A routing and analysis VM running Kali Linux with two network interfaces, and the isolated test machine that connects to the ‘world’ through the Linux instance.

Address, OpenVPN and iptables rules

The magic of network isolation is accomplished on the Kali machine:

  1. The NAT (eth0) interface is allowed to see the world using the default local wired configuration, the Internal interface adapter (eth1) is given a different IP and subnet range.
  2. An OpenVPN link is established on the Kali VM. This starts a new tunnel network interface (tun0)
  3. The ‘hidden’ computer has an ‘internal only’ network adapter.
  4. The ‘internal only’ network has an IP address on the same subnet as the eth1 interface on the Kali VM.
  5. iptables firewall rules are configured to masquerade traffic on the tun0 interface, and allow data between eth1 and tun0 (the isolated machine and the tunnel).
  6. Finally, the rules drop packets from eth1 to anywhere else to stop the isolated machine seeing local resources.
IPTables firewall rules that limit connectivity of internal eth1:
# iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
# iptables -A FORWARD -i tun0 -o eth1 -m state \
           --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
# iptables -A FORWARD -i eth1 ! -o tun0 -j DROP
# iptables -A FORWARD -i tun0 -o eth0 -j DROP

Bonus capabilities

Because you have a Kali Linux box in between your isolated environment and the rest of the world, you are perfectly positioned to sniff traffic, route data over TOR, or peek at secure connections with mitmproxy.

What success looks likes

A successfully isolated machine showing ping results and apparent IP address

When correctly routed the isolated machine will be able to ping the world but not any local network IP addresses. The apparent ‘real-world’ IP address will also belong to the VPN service provider

With the correct configuration, you should be able to ping the ‘world’ from your isolated machine, but you shouldn’t be able to ping any local network resources. The network is safe, the bad guys can’t see your real-world IP address, and dropping the VPN link will also drop the link to the world.



What is ransomware and how to protect your precious files from it

Zubair Baig, Edith Cowan University and Nikolai Hampton, Edith Cowan University

What would it mean if you lost all of your personal documents, such as your family photos, research or business records? How much would you pay to get them back? There’s a burgeoning form of cybercrime that hinges on the answers to these questions.

You have probably heard of viruses and malware. These dangerous pieces of software can make their way into your computer and wreak havoc. Malware authors are intent on stealing your data and disrupting the proper functioning of your digital devices.

Then there is ransomware. This is crafted by cyber-criminals for extorting data from innocent users, and is rapidly becoming a threat to individuals, small business and corporate users alike.

Unlike malware, ransomware does not steal data. Rather, it holds it captive by encrypting files and then displaying a ransom note on the victim’s screen. Continue reading

Ransomware Brief – Evolution and The Future

Ransomware is profitable! The bad guys are achieving investment returns over 1500% with very low risk. With the right connections, anyone can acquire ransomware as a service; they could buy some ransomware and pay to spread it to users around the world.

What is ransomware?

Ransomware is a type of malware that affects your computer, blocks access to your personal data and demands a ransom payment to unlock your files. It’s also quite successful; imagine losing your data, documents, family photos or life’s work. How much would you have lost? How much would you pay? Continue reading