This is a tutorial on how to set up an environment for dynamic malware analysis, which can be used to analyze otherwise encrypted HTTPS and SMTPS traffic without allowing the malware to connect to the Internet. Dynamic malware analysis (or behavioral analysis) is performed by observing the behavior of a malware while it is running. The victim machine, which executes the malware, is usually a virtual machine that can be rolled back to a clean state when the analysis is complete. The safest way to prevent the malware from infecting other machines, or doing other bad things like sending SPAM or taking part in DDoS attacks, is to run the victim machine in an offline environment. However, network traffic analysis of malware is a central part of dynamic malware analysis, which is is why a “fake Internet” is needed in most malware labs.
INetSim and PolarProxy
INetSim is a software suite that simulates common internet services like HTTP, DNS and SMTP, which useful when analyzing the network behavior of malware samples without connecting them to the Internet. INetSim also has basic support for TLS encrypted protocols, like HTTPS, SMTPS, POP3S and FTPS, but requires a pre-defined X.509-certificate to be loaded at startup. This can cause malware to terminate because the Common Names (CN) in the presented certificates don’t match the requested server names. The victim machine will actually get the exact same certificate regardless of which web site it visits. INetSim’s TLS encryption also inhibits analysis of the network traffic captured in the malware lab, such as C2 traffic or SPAM runs, because the application layer traffic is encrypted. PolarProxy can solve both these issues because it generates certificates on the fly, where the CN value is dynamically set to the requested host name, and saves the network traffic in decrypted form to PCAP files. It is therefore a good idea to replace the TLS services in INetSim with PolarProxy, which will be used as a TLS termination proxy that forwards the decrypted traffic to INetSim’s cleartext services.
The first step is to install a Linux VM, which will act as a fake Internet to the victim machine(s). I'm using Ubuntu Server 18.04.3 LTS in this tutorial, but you can use any 64-bit linux distro. I'm adding two network interfaces to the Linux VM, one interface with Internet access and one that connects to an isolated offline network to which the victim VM's will be connected. The offline interface is configured to use the static IP 192.168.53.19.
Important: Do not bridge, bond or enable IP forwarding between the two interfaces!
INetSim is available in Ubuntu's repo, so it is possible to install it with "apt install inetsim". However, I recommend installing INetSim as described in the official documentation to get the latest packaged version of INetSim.
INetSim listens on 127.0.0.1 by default, change this to INetSim's offline IP address by un-commenting and editing the service_bind_address variable in /etc/inetsim/inetsim.conf.
Also configure INetSim's fake DNS server to resolve all domain names to the IP of INetSim with the dns_default_ip setting:
Finally, disable the "start_service https" and "start_service smtps" lines, because these services will be replaced with PolarProxy:
Restart the INetSim service after changing the config.
Verify that you can access INetSim's HTTP server with curl:
It looks like INetSim's web server can be accessed alright.
Next step is to install PolarProxy as a systemd service (as instructed here):
We will need to modify the PolarProxy service config file a bit before we start it. Edit the ExecStart setting in /etc/systemd/system/PolarProxy.service to configure PolarProxy to terminate the TLS encryption for HTTPS and SMTPS (implicitly encrypted email submission). The HTTPS traffic should be redirected to INetSim's web server on tcp/80 and the SMTPS to tcp/25.
Here's a break-down of the arguments sent to PolarProxy through the ExecStart setting above:
- -v : verbose output in syslog (not required)
- -p 10443,80,80 : listen for TLS connections on tcp/10443, save decrypted traffic in PCAP as tcp/80, forward traffic to tcp/80
- -p 10465,25,25 : listen for TLS connections on tcp/10465, save decrypted traffic in PCAP as tcp/25, forward traffic to tcp/25
- -x /var/log/PolarProxy/polarproxy.cer : Save certificate to be imported to clients in /var/log/PolarProxy/polarproxy.cer (not required)
- -f /var/log/PolarProxy/proxyflows.log : Log flow meta data in /var/log/PolarProxy/proxyflows.log (not required)
- -o /var/log/PolarProxy/ : Save PCAP files with decrypted traffic in /var/log/PolarProxy/
- --certhttp 10080 : Make the X.509 certificate available to clients over http on tcp/10080
- --terminate : Run PolarProxy as a TLS termination proxy, i.e. data forwarded from the proxy is decrypted
- --connect 192.168.53.19 : forward all connections to the IP of INetSim
- --nosni nosni.inetsim.org : Accept incoming TLS connections without SNI, behave as if server name was "nosni.inetsim.org".
Finally, start the PolarProxy systemd service:
Verify that you can reach INetSim through PolarProxy's TLS termination proxy using curl:
Yay, it is working! Do the same thing again, but also verify the certificate against PolarProxy's root CA this time. The root certificate is downloaded from PolarProxy via the HTTP service running on tcp/10080 and then converted from DER to PEM format using openssl, so that it can be used with curl's "--cacert" option.
Now let's set up routing to forward all HTTPS traffic to PolarProxy's service on tcp/10443 and SMTPS traffic to tcp/10465. I'm also adding a firewall rule to redirect ALL other incoming traffic to INetSim, regardless of which IP it is destined to, with the final REDIRECT rule. Make sure to replace "enp0s8" with the name of your interface.
Verify that the iptables port redirection rule is working from another machine connected to the offline 192.168.53.0/24 network:
It is now time to save the firewall rules, so that they will survive reboots.
Install the Victim Windows PC
Configure a static IP address on the victim Windows host by manually setting the IP address. Set the INetSim machine (192.168.53.19) as the default gateway and DNS server.
Download the X.509 root CA certificate from your PolarProxy installation here:
- Double-click on "polarproxy.cer"
- Click [Install Certificate...]
- Select 🔘 Local Machine and press [Next]
- Select 🔘 Place all certificates in the following store and press [Browse...]
- Choose "Trusted Root Certification Authorities" and press [OK], then [Next]
- Press [Finish]
You might also want to install the PolarProxy certificate in your browser. This is how you install it to Firefox:
- Options / Preferences
- Press [Privacy & Security]
- Scroll down to "Certificates" and press [View Certificates...]
- In the "Authorities" tab, press [Import...]
- Open "polarproxy.cer"
- ☑ Trust this CA to identify websites. (check the box)
- Press [OK]
Now, open a browser and try visiting some websites over HTTP or HTTPS. If you get the following message regardless of what domain you try to visit, then you've managed to set everything up correctly:
Accessing the Decrypted Traffic
PCAP files with decrypted HTTPS and SMTPS traffic are now available in /var/log/PolarProxy/
PolarProxy will start writing to a new capture file every 60 minutes. However, the captured packets are not written to disk instantly because PolarProxy uses buffered file writing in order to improve performance. You can restart the proxy service if you wish to flush the buffered packets to disk and have PolarProxy rotate to a new capture file.
I also recommend capturing all network traffic sent to INetSim with a sniffer like netsniff-ng. This way you’ll get PCAP files with traffic from INetSim’s cleartext services (like DNS and HTTP) as well.
PCAP or it didn’t happen!
I'd like to thank Thomas Hungenberg and Patrick Desnoyers for providing valuable feedback for this blog post!
Posted by Erik Hjelmvik on Monday, 09 December 2019 08:40:00 (UTC/GMT)