Anonymizing Traffic For Your VM

Security Level: Medium

Purpose: To hide who you are while performing research through your browser AND protecting your host system from drive-by download attacks.

Benefits:

  • Hide your IP
  • Protect the host system by running in a virtual environment
  • Execute malware in a safe environment (non-traffic capture)

Drawbacks:

  • Not as easy to setup
  • Need to gather more programs/resources to start.

What you’ll need:

  • VMWare Player – https://www.vmware.com/products/player/
  • JanusVM – http://janusvm.com/
  • Another Virtualization Application (Vmware / VirtualBox / etc.)
  • An operating system to run on said virtualization application
    • Note: If you are already a malware researcher, chances are you are already running some kind of virtual environment for analysis, etc.

Situation:

So you came across a few really suspicious links during your anonymous research, you want to click them in a safe environment so you would use your analysis VM. You could use the Tor Browser again; however you want to be even more secure with no chance of anyone tracing you.

What are we doing?

We are going to connect our virtual analysis system to the JanusVM using a VPN (Virtual Private Network) connection and gain full anonymity and security while still protecting our host system.

How:

  1. Download and Install VMware Player (if you don’t already have it or another VMware product)
  2. Download JanusVM and extract it to a folder you won’t forget about.
  3. Open JanusVM in VMware Player and let it boot to the menu screen.
    • Optional: Once it gets to the part about loading Tor directories, you can just skip that by typing “x” and press enter if it is taking too long. It will still work.
    • JanusVM uses two virtual network interface cards, one bridged to the host system and therefore on the physical network, the other using NAT or Network Address Translation, to share a connection between the host and all the other VM’s.
    • We will be connecting our Windows VM to this NAT interface.

 

  • Once loaded note down the address to install JanusVM VPN from the local PC by observing the JanusVM menu screen.
JanusVM Configuration Batch File

 

  • Next select the 4th option in the JanuVM menu: VPN User Management!

I created the labman account, you should choose an equally non-descriptive username =D

  • This will allow you to create a username and password for yourself when you connect to the VPN later.
  • Open your other virtual environment application and load the Windows environment.
  • Go back to your Windows environment and modify the network interface settings so your network adapter uses a NAT connection.
NetworkSettings

Remember this settings interface, you’ll be using it again.

  • If not done automatically, release and renew your IP address from the VMWare DHCP server and make sure that the IP address is in the same subnet as the JanusVM local PC address. If you aren’t able gain an IP address from DHCP, check your network settings in Windows. You can also check the Virtual Network Editor in VMware and make sure that the internal DHCP service for the NAT connection is enabled.

Release and Renew will dump your IP and ask the DHCP server to another one.

  • Go to Start->Run and type in the JanusVM local PC address including the “SetupRun.bat” Then press enter.
Running the Batch File

 

  • You should be prompted to download a file, accept and Run it, it will install the JanusVM VPN client for you.
  • Once completed, double click the Desktop icon “JanusVM VPN” and input the username and password you created earlier.
JanusVPN Login

 

  • Optional: Once the desktop shortcut is created by the installer, you could modify your registry: HKLMSoftwareMicrosoftWindowsCurrentVersionRun and input an entry for the shortcut so that the VPN will connect at every system startup. Alternatively, you could just drag the shortcut to Start->Applications->Startup and it should do the same thing.
  • Click Connect and you will be connected with JanusVM! Go ahead and surf with the confidence that your traffic will all be sent anonymously and securely and sometimes in different languages!

 

Explanations:

Q. How does JanusVM work?

A. JanusVM is powered by VMware, built on the Linux 2.6.14 kernel, and brings together openVPN, Squid, Privoxy, and Tor, to give you a transparent layer of security and privacy that is compatible with all your TCP based applications. DNS request are also passed through Tor so even your ISP doesn’t know what web site you are looking at. All your web traffic is passed through squid and privoxy to filter out unwanted internet junk & prevents your web browser from leaking information about your computer system.

You can read this again @ www.janusVM.com.

Q. What is a Virtual Private Network (VPN)?

A. A Virtual Private Network or VPN is a secure network that is usually used to connect a remote user to a local network through a public telecommunications infrastructure, such as the internet. Most of the time, the connection from one end to the other requires authentications and various types of encryption technologies to make the connection secure, for this reason it is difficult to monitor or “sniff” the traffic.

Here is a fun graphic from Privacy Canada!

Virtual Private Network Diagram

This is where the term “Cloud Computing” originated from…this graphic here.

As you can see from the diagram, the various offices and the remote users are connecting through the VPN over the internet, so that it appears to the user as if they are on the local network at the office itself. Check out this site for more info on VPNs:

Q. What is a Virtual Environment, Virtual Machine (VM)?

A. Honestly, if you are not sure what a VM is, you might not want to be looking at this part of the tutorial. However, since I am such a great guy, I will explain it to you. A Virtual Machine is a “computer inside of a computer”. For example, using a virtual environment application, like VMware, I can have my base system or “Host” system, be Windows 7. Then I can install Ubuntu inside of VMware and now I have an operating system running inside of an application on my operating system. The virtual machine is completely separate from the host system and is usually referred to as the “guest” operating system. VMware takes care of all the hardware drivers and other essential system components that an actual hard-case system would have. Here is a visual of what this looks like:

 

For my purposes, I use a virtual machine to perform malware analysis because I can execute malware inside of the virtual machine without any fear that it can break out of the virtual environment application and infect my host system. Other benefits of using a VM are the use of “snapshots”, which allow you to create an instance of the operating system in a certain state, and then be able to revert to that state if you no longer want any of the modifications you have made to the operating system. In terms of malware analysis, I would have a “clean” state for my VM and after running malware and analyzing it, I can revert to that clean state and it would be like I never ran the malware at all. So to finish this up, we are using a virtual machine to perform open source research on malware authors and distributors because the possibility exists that if we used our host systems, they would be infected by malware, which is something we really don’t want to happen. If we get infected through the VM, we can just revert to a clean state again. Check out these sites for more information on VM’s:

Q. Is there a video on how to setup the JanusVM VPN?

A. There sure is! The Janus people made it themselves! You can download it from their website or watch it on YouTube, here is the link:

Summary:

By employing the use of virtual machines and using JanusVM to make your connection anonymous and secure, there should be no site on the internet which you should be afraid of going to. However, there are some drawbacks to using this method rather than the next one we will discuss, for example when performing malware analysis, you will want to anonymize your traffic, at the same time you want to observe what kind of traffic the malware is sending and receiving. Well if you are connected to a VPN on your analysis system, you won’t see anything but traffic moving through the VPN, encrypted! The next section solves that problem however it does require a little bit of technical know-how.

ABOUT THE AUTHOR

Adam Kujawa

Director of Malwarebytes Labs

Over 14 years of experience fighting malware on the front lines and behind the scenes. Frequently anachronistic.