The Cuckoo sandbox April 5, 2012Posted by lvdeijk in Uncategorized.
Performing malware analysis, either static and/or dynamic can be an exciting but daunting task. The sheer amount of malware can be overwhelming at times. Between all the polymorphing Conficker junk that gets caught using, for example, the dionaea honeypot really exciting stuff can be found.
But relying solely on sites like Anubis, CWsandbox or Virustotal for dynamic analysis isn’t always a good idea. Let alone the situations thinkable that prohibit the use of them, either by company policy or by law. while I fully support the general idea about sharing information and samples, I’ve experienced occasions that simply just won’t allow to do so. It could be a situational matter. It even could be a confidential situation.
So in the broad spectrum of tools and so little time at hand, what is a malware analyst to do ? Well, the bright folks from the honeynet.org project brought us cuckoo. Cuckoo Sandbox is developed by Claudio Guarnieri and Anthony Desnos. This project recently received awesome news from Rapid7. Apart from the great recognition they are also receiving a substantial sum of money to backup the project.
So what does it do ? Well there is beauty in simplicity 🙂 The whole concept involves Virtualbox. You basically take an installation of an operating system you want to conduct your analysis on and install it in a virtual instance. Then you customise that installation to your needs/standards (Adobe reader for example). This could be a copy of your corporate environment to emulate a real installation.
You do need to install python 2.7 on your customised virtualbox image.
Now, I don’t want to go over the exact installation details, there is good coverage on their website.
When finished you make a snapshot of the virtualbox instance and that covers the basics. With the cuckoo scripts in place, you can start the sandbox and start the analysis!
With the sandbox started, you simply submit the sample to the running snapshot of your operating installation and set the malware free to let the infection do its thing. After some time a delta is created of all that is changed in your snapshot and a nice report is made for you to study. Needless to say that the whole process will be undone when finished, so you can start over with the next sample.
Now I realise that this isn’t a silver bullet solution. There are many more steps to take in doing a thorough analysis. However, it gives a quick overview and some first impressions on what the malware wanted to manipulate.
One major drawback is malware that checks for a virtual environment. All in all I think it is a nice addition in the malware analyst toolbox.
To see Cuckoo in action versus Zues, here is the link to their site