Mo Malware Mo Problems - Cuckoo Sandbox to the rescue presented at BlackHatUSA 2013

by Claudio Guarnieri, Jurriaan Bremer, Mark Schloesser,

Summary : Cuckoo Sandbox is a widely used open-source project for automated dynamic malware analysis. It takes malicious documents or URLs as input and provides both high-level overview reports as well as detailed API call traces of the activities observed inside a virtual machine. The project was founded by Claudio Guarnieri and is mainly developed by four developers in their free time and during weekends. Cuckoo Sandbox distinguishes from other solutions thanks to its modular design and flexible customization features. Because of this unique emphasis several large IT corporations and security companies run Cuckoo Sandbox to analyze malware samples on a daily basis and it’s often placed alongside with traditional perimeter security products as an added weapon to incident response and security teams’ arsenals. Being open-source, it also empowers independent and academic security researchers to use a full-fledged malware analysis sandbox freely.
For the latest available version we saw more than 8000 downloads and a few hundred constantly running deployments with enabled update-checks. This community also contributes to the project in various forms such as setup instructions, code contributions, behavioral signatures, feature requests and usability feedback and is actively engaged in conversations over mailing lists and IRC.
The development team already presented about the project and conducted trainings on several occasions. However due to a wealth of new features and increased development effort, the project is growing and becoming more stable and capable in the recent times. For this reason we want to host a workshop that we designed from scratch with a completely new approach. It will showcase the tool, contain several challenging hands-on exercises with interesting malware samples and explain customization possibilities again with examples that attendees can try. Additionally in this presentation we cover our new VM-introspection based analysis module for the first time. We intend to release it as an alternative to our userland hooking based approach in order to evade malware trying to detect us. So in the future, users can use several analysis methods and compare results to pinpoint evasion techniques.
The audience can interact and participate to the workshop with just a web browser and an SSH client.