Tuesday, November 12, 2019

Building a DirtyNet - The Ultimate Malware Playground

By Tony Lee

Do you have a safe place to handle and investigate potential malware? Maybe you are you doing this on your home PC or in a VM to try to protect the rest of your network?  Whether you have a DirtyNet or not, let’s start an open discussion that covers some safe malware handling possibilities along with the pros and cons of each. Maybe this will help provide justification or a framework for even a minimal amount of funding to build something official and supported.

Figure 1:  DirtyNet Information Flow

The Benefits

There are many benefits to building a DirtyNet to take a closer look at potential malware, here are a few:

  • Determine maliciousness of malware
    • Never seen before binaries – Threat intel and malware repositories know nothing about it
    • Low conviction rate – Threat intel and repositories have seen it, but are not convinced of the maliciousness

  • Extract Indicators of Compromise (IOCs)
    • Useful in hunting for presence in the rest of the environment

  • Protect the rest of the network
    • Prevent users from mishandling malware on their corporate PCs by providing a dedicate environment

Possible Solutions
There are probably a large number of potential solutions – many of them bad ideas and some good ideas. We will cover the two most common setups here:

1) Stand-alone Malware Analysis Laptops

This is very common because it is easy to implement and somewhat reduces the risk of accidental malware spread.  There are some pros and cons that should be noted though:


  • Lower risk of mishandled malware than using a VM on your corp machine

  • Requires sneaker net – USB drives with write-blockers
  • Not real-time feeding from sensors
  • Difficult to connect/automate sensors and analysis stack
  • Difficult to scale to a large amount of malware
  • Difficult to extract and harvest IOC for reuse

2) Building a DirtyNet

This is not always the route chosen, but when built correctly, it is a beautiful and graceful solution. Here are the pros and cons:

  • Can be automated
  • Flexible sensor integration
  • Flexible automated malware analysis stack
  • Scales to higher volume of malware

  • Higher risk of mishandled malware when not following proper procedures

DirtyNet Rules

Notice the single con of the DirtyNet…  But just like fight club, it is important that EVERYONE follow the rules:

  • Write-only file share exposed to larger environment to accept malware and move inside DirtyNet
  • Malware stays within DirtyNet.  No outbound traffic except whiteline for FireEye AX / Malware analysis stack
  • Malware can be taken from the Malware repo and moved to an analysis workstation within DirtyNet
  • Malware is ideally password protected zipped with “infected” before transfer and during storage
  • Analyst connection to dirty net does not compromise the rest of the network. Virtualized desktops through a browser plugin with no file sharing is a decent option.


So you want to build a DirtyNet now... and you are curious as to what you might need. The info below contains the high-level requirements:
  • Hardware or Virtual (AWS/Azure/GCP) capacity 
  • Whiteline randomized POP for malware to make callouts (ideal but not necessary)
  • Viper or similar framework for the Malware repository
  • Time from a network engineer to set up network and hosts

Now that you have the blueprint, will you be building a DirtyNet of your own? Also, if you already have a DirtyNet, we would be interested in hearing your tips, tricks, or opinions posted in the comment section below. As a bonus, do you have any cool integrations setup?  For example, we have CyBot’s (https://github.com/cylance/CyBot) Cuckoo plugin safely feeding out instance with malware. Thanks for reading!

Figure 2:  CyBot Cuckoo plugin safe submission to DirtyNet

No comments:

Post a Comment