LabZero War PC Security Config

[LabZero]

Firewall: GlassWire Network Monitor Pro
Backup and restore: Macrium Reflect Free and some complete images.
Speecy: HW monitor
Shadow Defender, Sandboxie.

Hello guys, I decided to dramatically increase my security level by building a PC entirely and exclusively dedicated to Malware Analysis.
This PC does not contain any personal or sensitive information.

Allocated virtual systems for the analysis lab: Windows 10 Home inside VirtualBox 5.1.4

Behavioral and static analysis tools

• File system and registry monitoring: Process Monitor
• Process monitoring: Process Explorer
• Network monitoring: Wireshark
• Code-analysis tools, disassembler and debugger: OllyDbg and IDA Pro Freeware, PE Studio, IlSpy
  
• Change detection: Regshot
• Memory dumper: OllyDumpEx

Online analysis tools : Anubis, Malwr, Deepviz.
Real-time threat assessment: WebInspector
Historical reputation data: URLVoid and MxToolbox

Other tools

• Visual Studio Express : the main Integrated Development Environment (IDE) from Microsoft.
• Code::Blocks: a free C++ IDE built to meet the most demanding needs of its users. It is designed to be very extensible and fully configurable and has multiple compiler support (default GCC).
• Detect it Easy: another one PE identifier
• ProcDump: a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike.
• Java Decompiler
• Spy++: spying tool with point-and-click Handle/ID grabbing
• HxD Hex and Disk Editor for editing and viewing binary files and hard disk sectors.

This configuration is intentionally sparse because I want to focus on malware, other apps will be added in the future.

 

[Exterminator]

Looks good! Thanks for sharing it

 

[OneDay]

That's reaaaaally nice!!
It seems great! Looking forward to some videos maybe?!

 

[LabZero]

That's reaaaaally nice!!
It seems great! Looking forward to some videos maybe?!

Thanks, maybe in the future a malware analysis video.

 

[omidomi]

Good Config brain

 

[Deleted member 178]

I dont understand, so you will analyze malwares in Vbox or on this machine prime OS?

And what u mean by analysis? Find some malwares and execute them to see their impacts on the various areas of the OS?

 

[frogboy]

War machine looks good.

 

[LabZero]

I dont understand, so you will analyze malwares in Vbox or on this machine prime OS?

And what u mean by analysis? Find some malwares and execute them to see their impacts on the various areas of the OS?

@Umbra, yes I use a virtual environment for testing malware even if my computer is only for this, because if a malware were compromising the stability of the system, would do this only on the Guest.
If this happens on the Host system (see ransomware, MBR rootkit, etc) should I use every time a backup image, then do it for convenience.
Because malware may detect that it is running in a virtualized environment, I could rely on physical machine, rather than virtual, decide then.

Yes, I like to examine the behavior of malware, analysing it on the operating system for my study and because this is useful to understand and prevent infection.

 

[Deleted member 178]

Always use real system, most VMs will give inaccurate results. You have made a backup , so loading it will take you few minutes.

 

[LabZero]

Always use real system, most VMs will give inaccurate results. You have made a backup , so loading it will take you few minutes.

Yes,I think I'm going this way

 

[LabZero]

Nice config


I wouldn't worry about this too much. You have IDA Pro Freeware and OllyDbg, you can use either to get round/detect Anti-Virtualization detection tricks. You can also attempt to conceal evidence of using a virtual environment.

Although it's true that using the host system is a more effective approach as suggested above.

Yes,I wanted to have two possible alternatives even if it is true that malware would be tested on the real system.

 

[Solarquest]

Klipsh,
thanks for sharing this solid config!
What abou scanners, will you load somew AV to scan their (0 day) detection?
What about the router, how will you protect it?
Will you run the samples while offline or did you buy a router just for testing?

 

[LabZero]

Klipsh,
thanks for sharing this solid config!
What abou scanners, will you load somew AV to scan their (0 day) detection?
What about the router, how will you protect it?
Will you run the samples while offline or did you buy a router just for testing?

Thanks @Solarquest
No scan software, I want to have the control analyzing the malware.I have ZAM and Webroot but only for opinion.
About router should I implement (testing ...) but I think I'm going to Access Control lists (ACLs)
Another critical step, is to disable remote administration features of the router ...

 

[Raul90]

Great config there

 

[kev216]

Very nice and solid config!!

 

[Solarquest]

Thanks @Solarquest
No scan software, I want to have the control analyzing the malware.I have ZAM and Webroot but only for opinion.
About router should I implement (testing ...) but I think I'm going to Access Control lists (ACLs)
Another critical step, is to disable remote administration features of the router ...

Hello Klipsh,
...oh yeah, disable it if not it's like living the main door unlocked/open..
Do you have a cisco (small business) router or a soho one?
Interesting the ACL! Did you implement it before?
THANK you for sharing! !!

 

[LabZero]

Hello Klipsh,
...oh yeah, disable it if not it's like living the main door unlocked/open..
Do you have a cisco (small business) router or a soho one?
Interesting the ACL! Did you implement it before?
THANK you for sharing! !!

I have a Netgear and I found a guide about ACL ( not implemented before ).
ACL are used to prevent unauthorized access to Admin Panel.
Setting ACLS (usually the reference section is Access management) for the IP 0.0.0.0 and selecting LAN (then not WAN or LAN/WAN) as an interface, it will ensure that only the local client systems have access to the router's administration panel ( for example to avoid DNS change ).
I've enabled SPI firewall to avoid sending ICMP responses, so I hope...

 

[Solarquest]

I have a Netgear and I found a guide about ACL ( not implemented before ).
ACL are used to prevent unauthorized access to Admin Panel.
Setting ACLS (usually the reference section is Access management) for the IP 0.0.0.0 and selecting LAN (then not WAN or LAN/WAN) as an interface, it will ensure that only the local client systems have access to the router's administration panel ( for example to avoid DNS change ).
I've enabled SPI firewall to avoid sending ICMP responses, so I hope...

I also have a dedicated pc for testing..the only thing I couldn't have "dedicated" was my router...my Isp is making my life difficult with this...apparently I could use anoyher on just for testing but to be able to use it I should call them every time I switch so thst they send a "signal" to my router, recognize it and allow it to accass the web..then the same for the old router to get back to safe surfing...after few days they ll just stop doing it and send me to ..../ bad words
Still working on a better, safer sokution since soho routers unfortunately can be hacked also from local.
Can you pls post or Pm me the guide about ACL?
Thank you

 

[LabZero]

I also have a dedicated pc for testing..the only thing I couldn't have "dedicated" was my router...my Isp is making my life difficult with this...apparently I could use anoyher on just for testing but to be able to use it I should call them every time I switch so thst they send a "signal" to my router, recognize it and allow it to accass the web..then the same for the old router to get back to safe surfing...after few days they ll just stop doing it and send me to ..../ bad words
Still working on a better, safer sokution since soho routers unfortunately can be hacked also from local.
Can you pls post or Pm me the guide about ACL?
Thank you

Yeah, unfortunately my router (Netgear) isn't customizable as Cisco but at least provide a basic level of security for example, restrict access to a particular network or subnet, I then found a guide for my router : How do I use the ACL Wizard on a smart switch? | Answer | NETGEAR Support

Some interfaces for router administration, however, have vulnerabilities that expose XSS attacks, CSRF, command injection or based on an insecure authentication procedure then there is always a risk because, in this case, an attacker may be able to change the DNS server, inserting arbitrary IP, simply causing loading – for example using simple JavaScript code – a local URL that asks the router to alter the DNS

 

[JM Safe]

@Klipsh Very nice config, it is a really fun hobby the malware analysis