77
IAMWHO?
Jurriaan Bremer
• Member of The Honeynet Project
• Member of Eindbazen CTF Team
• Cuckoo Sandbox Developer for ~2.5 years
• Author of VMCloak
• Freelance Security Researcher
• Occasional student
AGENDA
• Introduction to Sandboxing
• Introduction to Cuckoo
• Customization
• Analysis Internals
• Anti-Sandboxing & Anti-anti-sandboxing
• VMCloak
• Longterm Analysis
• Distributed Cuckoo
SANDBOXING
What does a malware sandbox look like?Software or hardware appliances that receive suspicious files and returns an
overview of their functionality.
PROBLEMS
• Automate specific tasks?
• Integrate with defenses?
• Process high volumes?
• Digital forensics/incident response?
PROS
• Automate the whole analysis process
• Process high volumes of malware
• Usable by virtually anyone
• Get the actual executed code
• Dropped executables, etc.
• Can be very effective if used correctly
CONS
• Can be expensive
• Hardware
• Maintenance
• Some portions of the code might not be triggered
• Environment could be detected
• Malware going for an early exit
CUCKOO SANDBOX
Automated malware analysis system, easy to
use and customize.
WHY?
• We believe in open source
• Empower students and researchers
• Contributors
• Open architecture for more flexibility and creativity
SOME NUMBERS
• Around 40000 lines of Python code
• Around 10000 lines of C code
• Reaching almost 3000 commits on Github
• 4 Core Developers
• ~30 Contributors over time
BITS OF HISTORY
Aug 2010 0.1a
Jan 2011 0.1
Nov 2011 0.2
Dec 2011 0.3
Jul 2012 0.4
Dec 2012 0.5
Apr 2013 0.6
Aug 2013 1.0
Mar 20141.1
Oct 20140day
0DAY – INDIRECT RCE
http://cuckoosandbox.org/2014-10-07-cuckoo-sandbox-111.html
Documentation on Python’s os.path.join() function:
“If a component is an absolute path, all previous components are thrown away and joining continues from the absolute path component.”
>>> import os.path>>> os.path.join('/home/cuckoo/cuckoo', 'etc/passwd')'/home/cuckoo/cuckoo/etc/passwd‘>>> os.path.join('/home/cuckoo/cuckoo', '/etc/passwd')'/etc/passwd‘
So… patch your Cuckoo setups!
WHAT YOU NEED TO KNOW
• Basic usage of Linux
• Basic usage of Virtual Machines
• Knowledge to leverage the results
• Windows APIs
• Malicious behaviors
• With Python you can get awesome!
• Customization
• Modules
HOW IT WORKS
Fetch taskSpin up
VMInstrument the guest
Execute and log
Tear down VM
Process and report
KEY FEATURES
• Almost everything is a module
• Completely automated
• Run concurrent analysis
• Able to trace processes recursively
• Customize analysis process
• Create behavioral signatures
• Customize processing and reporting
DEMOFirst look at Cuckoo Sandbox
GETTING STARTED
REQUIREMENTS AND EXPECTATIONS
• What is your goal?
• Who is going to use the sandbox?
• How are they going to consume the data?
• How many samples do you expect?
• What kind of results are mostly relevant?
• Do you need all features to meet your goal?
DESIGN YOUR ENVIRONMENT
• Do you want to run Office exploits?• Most exploitable version(s)?
• Do you want to run PDF exploits?
• Do you want to run 64 bit malware?
• Do you want to run URLs?
• Do you need script interpreters?
• Windows XP or Windows 7?• Windows 8 or even 10? (Not supported yet!)
INSTALLATION IN A NUTSHELL
• Install VirtualBox, VMWare or QEMU/KVM
• Download & extract Cuckoo
• Install dependencies
• Create a virtual machine, copy over and run agent.py and take a snapshot (need to be able to
communicate with the host).
• Configure the files in conf/
• $ python cuckoo.py
SETUP DISCLAIMERS
• It’s not point-and-click, involves manual work• Or is it?
• Virtualization software might get funky• Not designed for mass restore / suspend..
• Need help?• Documentation
• Mailing list
• Q&A platform
• IRC
• After the talk with a beer?!
USAGE
SUBMISSION
• Command line
./utils/submit.py
• Cuckoo Web API
./utils/api.py
• Django Web Interface
./web
• Python API
• Only if you’re feeling lucky!
OPTIONS
• Analysis Package
• Timeout
• Priority
• Machine
• Memory Dump (Volatility)
• Tags
RESULTS
• Raw results stored in storage/analysis/<id>/
• Reports stored in storage/analysis/<id>/reports/
• Various reporting modules
• JSON
• HTML
• Custom..
RESULTS
• Trace of API calls
• File dumps
• IOCs
• Signatures
• Screenshots
• Network traffic
• Process memory dump
• System memory dump
COMPONENTS
COMPONENTS
• Core
• Cuckoo Daemon on the host machine.
• Analyzer
• In the Virtual Machine.
• Instruments the sample.
• Streams results in realtime to the host.
CORE MODULES
• Machinery Modules• Located in ./modules/machinery/
• VirtualBox
• VMWare
• VMWare ESXi
• Qemu/KVM
• Auxiliary Modules• Located in ./modules/auxiliary/
• Run tasks concurrently to each analysis.
• Network traffic capture
PROCESSING MODULES
• Process raw results• Located in ./modules/processing/• Collection of results
• Results including• Static analysis of the sample• Process API logs• Dropped files• .pcap (network dump)• Memory Dumps (Volatility!)• Yara• VirusTotal results
SIGNATURES
• Isolate specific events• Located in ./modules/signatures
• Events:• Identify malware family
• Identify malicious behavior
• Community Repository• https://github.com/cuckoobox/community
$ ./utils/community.py --signatures (--force)
SHARING IS CARING!
REPORTING
• Various reporting formats
• Located in ./modules/reporting
• Default:
• JSON
• HTML
• MAEC
• MongoDB
• Custom?
ANALYZER MODULES
ANALYSIS PACKAGES
• Define how to interact with the sample
• Can be used for scripting tasks
• Used to open various filetypes
• Executables
• Word Documents
• Python files
• …
AUXILIARY MODULES
• Run concurrently to the analysis
• Default:
• Screenshots
• Emulation of human interaction
• Mouse clicking and moving
MONITOR
MONITOR
• DLL Injection
• Inline Hooking
• Logging to the host over TCP connection
• Logs more than 220 functions
EVASIONS ARM RACE
• Malware often injects into other processes (e.g., explorer.exe), to avoid detection
• Or injects into other processes
• We track this and follow such events
• Inject the monitor in the same processes
API HOOKING CATEGORIES
• Cryptography
• Exception Handlers
• Files
• Network
• Process & Threads
• Registry
• User Interface
RECENT UPDATES
• 64-bit support (WIP)
• API Signatures
• Full stacktrace for each call
• Exception handling
• Improved Hooking
• Documentation (:P)
SAMPLE API SIGNATURE
fopen(“hoi.txt”, “wb”);
ANTI-SANDBOXING
With sandboxes getting popular, malware writers are increasingly trying to
bypass them.
ANTI-SLEEP
• Cuckoo Sandbox skips sleeps that are launched within the first seconds of a process execution.
• Avoids malware doing Sleep(10 minutes).
MOUSE-MONITOR
• Malware can observe for:
• Movements of the cursor
• Clicks of the mouse buttons
• They don’t start until such events are observed.
• Good example is Upclicker.
• And… Downclicker
• Clicks on dialogs, e.g., “Next”
ANTI-VIRTUALIZATION
• It’s painful
• Depends on the virtualization software of your choice
• You can do something about it
• However you won’t be able to kill all indicators
ANTI-VIRTUALIZATION TRICKS
• Find processes: VBoxService.exe, vmtoolsd.exe• Find files or devices: \Device\VBoxMouse• Detect available libraries: LoadLibrary(‘VBoxOGL.dll’)
• Detect BIOS version• Detect disk description: IOCTL_STORAGE_QUERY_PROPERTY, IOCTL_SCSI_MINIPORT
• Detect disk size: IOCTL_DISK_GET_DRIVE_GEOMETRY• Detect guest tools• Find windows: FindWindow(‘VBoxTrayToolWnd’)
DO NOT INSTALL
THE GUEST ADDITIONS.
WINDOWS REGISTRY
• HKLM\HARDWARE\Description\System\SystemBiosVersion
• HKLM\HARDWARE\Description\System\VideoBiosVersion
• HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
• HKLM\SYSTEM\CurrentControlSet\Enum\IDE\
VMCLOAK
VMCLOAK
• Automated Generation of Virtual Machines
• Virtual Machines are complex• Takes a lot of time to setup
• Many steps involved..
• http://vmcloak.org/
• http://vmcloak.readthedocs.org/
$ pip install vmcloak
VM SETUP STEPS
• Install Windows XP
• Cuckoo supports Windows 7, VMCloak not yet
• Serial Key, Keyboard Layout, Timezone, ...
• Network
• Static IP for the Host
• Optionally internet access
• DNS server
• VM Cloaking
VM SETUP STEPS #2
• Dependencies
• .NET framework, Adobe PDF Reader, Java, ..
• Create a VM Snapshot
• Add VM to the Cuckoo configuration
• ETA: Between 20 and 120 minutes per VM
VM CLOAKING
• Malware will often try to evade analysis
• Solution: Randomize VM characteristics
• Harddisk names ("VBOX HARDDISK")
• CD Rom ("VBOX CD-ROM")
• Machine Name & Username
• Files, Registry Keys, ..
VMCLOAK RESULTS
• Write one configuration file
• Run one command
• Wait a few hours
• ???
• Few dozen Virtual Machines ready for usage!
VMCLOAK QUICK GUIDE
# mkdir /mnt/winxp
# mount –o loop,ro winxp.iso /mnt/winxp
$ vmcloak –r cuckoo1 –serial-key AAAAA-BBBBB-…
Wait 10 minutes and done
LONGTERM ANALYSIS
LONGTERM ANALYSIS
• Normal analyses take 1-2 minutes• Longterm analysis for specific binaries
• Analyze for weeks or even months
• Monitor malware for new C2 data• New hostnames
• New IP addresses
• Executed commands
• Dropped files
• Updated malware sample
IMPLEMENTATION PROBLEMS
• 1-minute analysis can produce 20mb of logs
• What about a month?
• Keep all the logs..?
• What about the network dump?
• Processing & Signature modules?
• Normally run after the analysis?
• What about realtime results?
Work in progress
DISTRIBUTED CUCKOO
DISTRIBUTED CUCKOO
• Loadbalancer
• One Cuckoo REST API
• Many Cuckoo machines
• Big machine, 16-24 cores
• Handle 15-50k analyses/day
• Scale it up as much as you like
• "Big Data Malware Analysis“
Distributed REST API
Cuckoo #1 Cuckoo #3
Cuckoo #2Egg #1 Egg #2 Egg #3
Egg #4 Egg #5 Egg #6
Egg #7 Egg #8 Egg #9
BIG DATA: INDICATOR OF COMPROMISE
SETUP.SH
SETUP.SH
• Run once on a plain Debianserver
• Wait a few hours
• And ready!
• Point-and-click
CONCLUSIONS
SUMMING UP
• Open source solution (and will remain so)
• Flexible and customizable
• Easy to integrate
• Very actively developed
FUTURE
FUTURE #2
• Bare-metal support
• Almost ready!
• Linux
• Mac OS X
• Feedback!
www.cuckoosandbox.org@cuckoosandbox
