I've done reversing and malware analysis professionally for some time now. I have switched jobs and am now in the position to build my lab from scratch and am looking for some opinions on hardware recommendations. I am planning a hybrid lab containing both physical victim boxes as well as a primary analysis box for my VMs and code reversing. What I am looking into is what specs/systems would be recommended. I am familiar with Linux, Windows and Mac OSX so everything is on the table, I also have a good feel for the tools I am familiar with as well as the automated tools that are available. Assume my budget is not an issue. So what would you build if you had the money? It needs to ba able to handle anything and everything. I have a few ideas on layout and network architecture but make recommendations and lets see where this goes.

Hmmmmm.....

Boxes with the last two versions of each OS.
Linux will be more difficult due to failure to upgrade.
So maybe use the last two before the latest version
of the big ones. OS, Mysql, Apache, etc.

Closed network and monitor with the usual tools.
If you go with an open network, make sure you have
your own IP isolated.

I dont know about the VM box. Use it for logging?
Dissecting and spreading?

Pretty much the common sense rules.
And make sure you use plenty of lame wares.
Facebook, twitter,ms crap, utube, etc.

If you just want an environment to monitor stuff you pick up
for testing purposes, keep the network closed except use one
box to fetch the stuff. You dont want 20 things going crazy at once.
Dont use a clean box to get your samples. Use one that you dont mind
re-installing the OS over and over again.

Even VM's can get dirty.

Nothing here you dont already know but I thought I would get the
conversation started.

Woodmann

I would concentrate on 64 bit.

After running the idea around I have a few theories and ideas in hardware setups. I read a few recommendations based on SANS articles and Practical Malware Analysis. I am planning a hybrid lab to be used for both dynamic analysis and static analysis. Since I will be dealing with mainly wintel virus' I will rely on hardware that can easily run Linux or OSX for my base systems to allow me to recover back to base state without too much trouble. So here is my idea as of now.

Primary System:
Mac Pro:
2 x 6-core xeon processors
64GB ram
2 x 512GB SSD
2 x 2TB drives

This system will be used for running VMs for dynamic behavioral analysis as well as cracking and static analysis.

Hardware lab:
4 x mac mini server edition
2.0ghz quad-core i7
16gb ram
2 x 500gb drives

These will be used as dual boot systems to run malware natively.

Any body have other suggestions or ideas? I appreciate the input Woodmann, ya the VMs are for dissection and analysis. I'm still working on the full network architecture as well but that shouldn't be too difficult.

That's ridiculous over-kill.

I've been doing malware analysis professionally as my full-time job for 8 years, and at a bare minimum you need 4 GB of RAM (in order to run a VM at a reasonable pace) and a regular hard drive. I've never had the need to run malware on bare metal; while yes, malware *can* detect that it's in a VM, 99% of real-world malware doesn't try to detect it, and for those that do you can spot it in the disassembly anyway and patch it out. The hassle required to re-image a bare-metal system every time you run malware on it is not worth the benefit.

As for network architecture, at the most you'd need to run two VMs simultaneously on a private virtual LAN segment. No need for creating a physical network.

Take the advice of SANS with a grain of salt. It's questionable how much real-world experience those guys have.

If you really want to spend money on preparing yourself to analyze malware, spend that money on quality training courses instead of on unnecessary hardware.

Disavowed has it exactly right as most malware seems to not include vmware detection. When they do it is usually very trivial to identify and work around. Or as suggested patch. One suggestion if you just have to use physical is to use deep freeze or a pci card to reboot into a fresh state. Honestly though that becomes a nuisance over time as well.

Ya.....

What he said .

Woodmann

Well, its a moot point now. They just found as ESX server that the last guy used for all his VMs. Now all I need is a nice Macbook to tie into it .

Disavowed I am curious what you mean by quality training courses. I have taken GREM, Advanced Malware classes, Advanced Memory analysis classes, etc. They all feel introductory to malware analysis. Really like something fresh and new.

Not being around back when +HCU was going and all the great people were involved makes me feel as though I missed something great.

I've heard very good things about the following two courses:

http://blackhat.com/html/bh-us-11/training/bh-us-11-training_sl-advmal.html
http://blackhat.com/html/bh-us-10/training/bh-us-10-training_hf-adv.html

You may want to consider this one as well:

http://blackhat.com/html/bh-us-11/training/bh-us-11-training_md-4dy-advmal.html

Also, I know many instructors are happy to craft custom courses as long as you can provide the students. For example, if you want a course on kernel-based reverse engineering, custom-VM protections, and chunked-packing, then you could contact a trainer and have them create and teach such a course for you and your colleagues.

Really? I thought SANS instructors have been working professional for years and simply teaching on the side... If their advice should be taken with a grain of salt then those who teach at colleges are worthless.

Some yes, some no. Always check the industry experience of your instructors before signing up for a course. LinkedIn is useful.