Creating a Secure Tor Environment

Uncategorized
5
As we all know there are ways that your real IP can be leaked when using tor (JavasScript, Flash, Malware and software errors). In this tutorial I’m going to show how to create a fairly secure tor environment using VMWare, which will prevent any IP leaks. The environment can be used for general browsing and malware research.

The first thing you’re going to need to do is install VMware workstation (VMware player may also work), then install your favorite windows OS.

As you can see, I’m using Windows 8 because it’s a great OS with a totally decent user interface which wasn’t designed by Fisher Price.

The following instructions are to be carried out on the host (the computer running VMware)
Next you’re going to need to enter the Virtual Machine settings and set the Network Adapter to Bridged, this will allow your VM to act as if it’s a part of the network you’re connected to. I should warn you that this may not be ideal for malware research as malware could probe, and possibly exploit, devices on your network. I will do a second (more complicated) tutorial that shows how to isolate the VM from your network, whilst still allowing it to connect to the internet via Tor.

If you have multiple network interfaces on your host machine, you will need to go into the VMware “Edit” menu and click “Virtual Network Preferences”, from there you can set the bridge to connect to the adapter you use for internet access.

Next you need the network (local) IP Address of the host network adapter you specified in the above. If you don’t know how to do that, you can go to the network settings in control panel, right click the network adapter, click “status”, then click “details” and it will be under “IPv4 Address”.

You should download and install the “Vidalia Relay Bundle” as opposed to the tor browser. You can disable the relay feature by specifying “Client only”.

You will also need to edit the torrc file and set it to listen on the host’s network IP (and an port of your choice).

The following instructions are to be carried out inside the Virtual Machine
Now you need to setup the VM network adapter. All you need to do is go into the adapter settings, select “internet protocol version 4 (TCP/IPv4) and set “IP Address” to an IP within the network range of your host’s adapter (I chose 192.168.1.99 as my host adapter is 192.168.1.66).

If you set up everything correctly thus far, you should get a response when pinging your host’s network IP.

Now the VM is connected to your network but will not be able to access the internet, this is a good thing because it means once we finish the setup, internet access from within the VM will only be possible with tor.

I’ve decided to use proxifier, but the next few steps should work with any proxification software. First we will need to white-list the host’s network IP Address so we don’t get an infinite loop.

Once that’s done it’s time to add our proxy server. The proxy server will be the host’s IP and the port you decided to install tor on.

Now set the new proxy as the default rule (you can choose to skip this step and make specific rules if you wish).

Finally you need to set the name resolution mode to always resolve via proxy or the system will not be able to look up any domains.

If everything worked, you should be able to open a browser and check that your’re connected via tor. If the proxy client is closed, your VM internet will simply stop working instead of revealing your real IP.

Enjoy spending the rest of your life typing captchas.
Uncategorized
3
Best Languages to Learn for Malware Analysis

One of the most common questions I’m asked is “what programming language(s) should I learn to get into malware analysis/reverse engineering”, to answer this question I’m going to write about the top 3 languages which I’ve personally found most useful. I’ll focus on native malware (malware which does not require …

Uncategorized
2
Investigating Command and Control Infrastructure (Emotet)

Although the majority of botnets still use a basic client-server model, with most relying on HTTP servers to receive commands, many prominent threats now use more advanced infrastructure to evade endpoint blacklisting and be resilient to take-down. In this article I will go through and explain my process of identifying …

Uncategorized
10
Creating a Simple Free Malware Analysis Environment

Computer Requirements: A CPU with AMD-V or Intel VT-x support (pretty much any modern CPU). 4 GB RAM (more is better). Make sure Virtualization (AMD-V or Intel VT-x) is enabled in the BIOS. To do this, you’ll need to google “enable virtualization” along with your bios or motherboard version, then …