Updated: Dec 17, 2020
When performing dynamic analysis on malware samples you will quickly find you are going to need multiple machines to get the job done. To minimize the hardware costs associated with developing a malware analysis network, I highly recommend utilizing virtual machines and a hypervisor.
When creating an offline virtual network for malware analysis in VMware, the best option is to configure the virtual network as 'Host-only' and to deselect the option 'Connect a host virtual adapter to this network'. During dynamic analysis, the malware is executed and any network traffic generated can be analyzed. In order to prevent this network traffic from leaking out to the internet, the virtual network must be carefully configured.
While some dynamic analysis networks use an anonymized internet connection to securely connect out to the internet, this malware analysis network will be entirely offline. This means that none of the traffic generated by the malware analysis network will reach the host adapter of the host machine.
To edit the configuration of a virtual network in VMware, the Virtual Network Editor must be run with administrative privileges. The configuration of my malware analysis network can be seen in the image below.
In the image above it can be seen that VMnet2 is configured to use a Host-only connection. This prevents systems using the VMnet from connecting out to the internet. The other options are NAT and Bridged. Both of these options would allow the virtual network to connect out to the internet.
There are some scenarios where you might want your malware analysis network to use an internet connection, but that requires additional security controls to prevent your identity while analyzing the malware. If you want you malware analysis box to have internet connection, I recommend routing all of your traffic through Tor or a VPN. Both of these solutions will anonymize the users IP address in the event that any traffic is sent from the analysis system.
The option to connect the host virtual adapter to this network was not selected. This prevents the traffic generated on the virtual network from reaching the host systems network adapter.
VMnet2 was configured to use the 192.168.209.0/24 subnet with DHCP enabled. This means that every system which has their network adapter attached to VMnet2 will be assigned an IPv4 address between 192.168.209.1 and 192.168.209.255.
When creating an offline virtual network for malware analysis in VMware, be sure to configure the virtual network as "Host-only" and to deselect the option "Connect a host virtual adapter to this network'" option.