{"id":9186,"date":"2012-05-24T12:21:13","date_gmt":"2012-05-24T10:21:13","guid":{"rendered":"https:\/\/www.corelan.be\/?p=9186"},"modified":"2012-05-24T12:21:13","modified_gmt":"2012-05-24T10:21:13","slug":"hitb2012ams-day-1-one-flew-over-the-cuckoos-nest","status":"publish","type":"post","link":"https:\/\/www.corelan.be\/index.php\/2012\/05\/24\/hitb2012ams-day-1-one-flew-over-the-cuckoos-nest\/","title":{"rendered":"HITB2012AMS Day 1 - One Flew Over The Cuckoos Nest"},"content":{"rendered":"

One Flew Over The Cuckoos Nest - Automated Malware Analysis<\/h3>\n

Claudio Guarnieri<\/a>, senior researcher at iSight Partner, and part of the Shadowserver Foundation and the HoneyPot project. \u00a0He works with malware on a daily basis, maintains malwr.com and is the main developer of the Cuckoo Sandbox, which is also the main topic of his talk.<\/p>\n

Claudio explains that there are some other people involved with the Cuckoo sandbox development and wants to make sure those guys receive proper credits for their work as well, even if they are not in the room. \u00a0Big thumbs up to Dario Fernandes and Alessandro Tanasi<\/p>\n

Manual analysis of malware takes a lot of time. You might have to to deal with unpacking routines, polymorphic code, and all kinds of other time consuming tasks. Multiply that with the number of malware to analyze, it's clear that automation is needed.<\/p>\n

Claudio explains that he wanted to write his own tools because the available commercial tools were expensive and don't necessarily do what he wants them to do. \u00a0There are some cons about automation too - some parts of malware code might not get reached, it might be hard to detect the environment, and so on.<\/p>\n

To prepare for an automated malware analysis, you'll need to set your expectations right. \u00a0The analysis environment needs to be designed properly and you need a good way to gather data, Claudio explains. \u00a0 You need to ask yourself if you need a sandbox in the first place. \u00a0What do you expect to achieve? What info is going to be most relevant and who is going to use the results? \u00a0What do you want to analyze ? \u00a0 file formats ? \u00a0What version ? What app ? \u00a0Browsers ? \u00a0Do you want it to communicate with the outside or not ? \u00a0There's plenty of questions you should ask yourself in order to perform a good analysis.<\/p>\n

Based on those questions and requirements, Claudio decided to write the Cuckoo sandbox. \u00a0It uses virtualization, open source, started as a Google Summer of Code project (in 2010) and heavily based on python code. \u00a0Recently, it won the first round of the Rapid7 Magnificent7 contest.<\/p>\n

It generates Win32 function call trace, dropped files, screenshots, network traffic dumps and comprehensive reports. Claudio continues by explaining some of the major components of the Cuckoo sandbox : the scheduler, the analyzer and how API's get hooked.<\/p>\n

Scheduler<\/p>\n