Mo' Malware, Mo' Problems - Cuckoo Sandbox to the Rescue

Presented at Black Hat USA 2013, Aug. 1, 2013, 10:15 a.m. (60 minutes).

Cuckoo Sandbox is a widely used open-source project for automated dynamic malware analysis. It takes malicious documents or URLs as input and provides both high-level overview reports as well as detailed API call traces of the activities observed inside a virtual machine. The project was founded by Claudio Guarnieri and is mainly developed by four developers in their free time and during weekends. Cuckoo Sandbox distinguishes from other solutions thanks to its modular design and flexible customization features. Because of this unique emphasis several large IT corporations and security companies run Cuckoo Sandbox to analyze malware samples on a daily basis and it's often placed alongside with traditional perimeter security products as an added weapon to incident response and security teams' arsenals. Being open-source, it also empowers independent and academic security researchers to use a full-fledged malware analysis sandbox freely.

For the latest available version we saw more than 8000 downloads and a few hundred constantly running deployments with enabled update-checks. This community also contributes to the project in various forms such as setup instructions, code contributions, behavioral signatures, feature requests and usability feedback and is actively engaged in conversations over mailing lists and IRC.

The development team already presented about the project and conducted trainings on several occasions. However due to a wealth of new features and increased development effort, the project is growing and becoming more stable and capable in the recent times. For this reason we want to host a workshop that we designed from scratch with a completely new approach. It will showcase the tool, contain several challenging hands-on exercises with interesting malware samples and explain customization possibilities again with examples that attendees can try. Additionally in this presentation we cover our new VM-introspection based analysis module for the first time. We intend to release it as an alternative to our userland hooking based approach in order to evade malware trying to detect us. So in the future, users can use several analysis methods and compare results to pinpoint evasion techniques.

The audience can interact and participate to the workshop with just a web browser and an SSH client.


Presenters:

  • Claudio Guarnieri / nex - Rapid7   as Claudio Guarnieri
    Claudio is an accomplished security Researcher at Rapid7. While messing with malware he quickly discovered there was a lack of tools available; out of despair he developed the tools himself. Malwr.com and Cuckoo Sandbox (an open source malware analysis tool) are two of his recent noteworthy creations. He has been a violent advocate for open source tools in the security industry, is a core member of both the Shadowserver Foundation and The Honeynet Project, has presented at several international conferences, and his tackles on cybercrooks have been featured in the likes of Bloomberg and the New York times. He can always be found ranting on Twitter @botherder.
  • Mark Schloesser - Rapid7
    Mark Schloesser is a security researcher at Rapid7, analyzing threats and developing countermeasures to help defenders understand and protect against the risks they face. He is also deeply involved developing open-source software as part of the Honeynet Project and other communities. A strong focus for this has recently been building up the core of Cuckoo Sandbox, an automated malware analysis tool, as well as working on a real-time data-sharing framework. He also is a developer for the Dionaea honeypot and smaller projects such as the HoneyMap. In the 25th and 26th hour of the day he likes reverse engineering malware and botnets and participating in CTF competitions. In case you need some help on an interesting project, he easily gets excited and involved if you netcat him @repmovsb.
  • Jurriaan Bremer
    Jurriaan is a freelance security researcher from the Netherlands interested in the fields of reverse engineering, malware analysis, mobile security, and the development of software to aid in security analysis. Jurriaan occasionally plays so-called Capture The Flag games as a member of De Eindbazen CTF Team and in his spare time he works as one of the Core Developers of Cuckoo Sandbox.

Links:

Similar Presentations: