Friday, April 26, 2013

Basic malware analysis with Cuckoo Sandbox

Being short-handed at work, most of my time is spent putting out one fire or another.  When we have a machine get compromised we rebuild it and get it back into service. Having time to spend analyzing the malware is a luxury that, more times than not, we just don't have.  I came across a slidedeck about Cuckoo Sandbox that was put together by Cory Kennedy for a talk last year that looked interesting and if implemented just might give me the ability to do some basic analysis.

What is Cuckoo Sandbox?  From their website:
In three words, Cuckoo Sandbox is a malware analysis system.
What does that mean? It simply means that you can throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.
A typical scenario that I've been using it is like this.

1. Computer is infected with some kind of malware
2. Image the PC and get it back into service.
3. Review the IDS logs and pcaps from Security Onion for the affected machine.
4. Extract the relevant executables, scripts, or URLS
5. Run them through Cuckoo to get more details that will assist in future detection/prevention

I've been seeing a lot of the Windows 7 Security Cleaner malware the last couple of weeks.  Due to the literal in your face nature of it, I normally get notified pretty quickly after the user clicks "Run".  (Why VIPRE missed it and the users continue to click run after repeated training are part of life's great mystery.)  Since I'm collecting full pcap data from Security Onion and I have a narrow window in which the infection most probably occurred, it is easier to find and extract the executable by pivoting to NetworkMiner from sguil than to crawl through the image.  I can then push the executable, security_cleaner.exe, up to Cuckoo for some basic analysis.

To get Cuckoo up and running make sure to check out the official documentation.  I found a really great write-up on how to get it going over at Santiago Bassett's blog. He lists step by step how to install and configure all the parts and pieces.

So let's fire up Cuckoo.  While the image below doesn't show it, I found that like to use the debug option (-d) for a better view on what's going on.

 #sudo python -d


Then in a new terminal window, feed in the malware sample.  In this instance a Black Hole Exploit Kit sample.

#sudo python ./utils/ privacy.exe

The Cuckoo server will accept the sample, spin up the VM that you designated, copy over the sample, run it, analyze the results, and generate a report.  AUTOMAGICALLY!  All kidding aside, this is very cool and very useful.

The report includes all sorts of useful information like DNS requests made, processes started, files created, registry changes.  It submits the sample to VirusTotal for analysis and includes those results too.

Another of the neat features is that it will take periodic screenshots of the VM and include them in the report.

Although I've just started to scratch the surface, Cuckoo Sandbox has already become a valuable tool in the toolbox.

No comments:

Post a Comment