WARNING: The information included in this tutorial could be used for malicious purposes in the wrong hands, please expect to be yelled at by people who think you are a bad guy if you start talking about this or asking questions. Also, please use responsibly.
Hello everyone! Today I am going to give a detailed tutorial on how to make the traffic originating from your Analysis VM completely anonymous! I spent a lot of time searching the nets for comprehensive explanations on how to accomplish this goal for the novice Linux user with non-expert level knowledge of networking; unfortunately I found nothing but little bits and pieces here and there so I decided to compile it all in one neat tutorial!
First things first though, I need to tell you why it is so important to keep yourself anonymous when dealing with malware and in general when performing research. Here are a few reasons:
- So you don’t get blocked - When performing malware analysis, testing out new malware on live systems and generally being a pain in the ass for malware controllers, you might get noticed. The easiest way to stop your snooping is to block your IP and either pass it around to your buddies or use it for your next fun DIY botnet project! Think of it this way, we as malware researchers have so many lists for what domains are hosting malware, don’t you think the bad guys might have a similar one for IP’s of especially annoying researchers?
- So the bad guys can’t kill your network – There is a possibility that if you piss off the bad guys enough they will send their botnets to DDoS your ISP. OMG! Then you’re screwed and so is everyone else who uses your ISP, at least until its fixed =/
- So the bad guys can’t find you – While it seems silly that your IP might be singled out to be a sure sign that the bad guys are being watched, it might happen. If it did, the more extreme measure for the bad guys to take would be to do whatever they could to track you down and either try to ruin your life or scare you enough to back off.
This tutorial is split into sections! (YAY!) The sections are:
- Anonymizing traffic for your host system (Easy)
- Anonymizing traffic for your VM (Medium)
- Anonymizing traffic for your VM AND capturing traffic (Hard)
NOTE: None of these methods are capable of Anonymizing UDP packets, only TCP. Sorry =/