While the “pencil down” date is approaching, i would like to announce the latest situation at Webviz project. From the last time till time, there have been some changes at the visualization:

* The size of the visualization increased * A better map is located as base map * Mesh working principle is changed from country based to IP based. The returning database results are grouped by IP. * Legends are detailed * For a better distributed results, an IP set that is collected for a long period is also added to the database.

The whole implementation is mainly consisted of 4 modules: central controller, emulator, dummy control and list. Central controller is a dynamic link library written in C++. Emulator and dummy control are COM components written in python and registered into registry by win32com.server.register.UseCommandLine. List is a text file in a certain format to read and modify.
The implementation considers the further updating for new controls’ emulation. One need only modified the emulating, existing of available list and adding new methods into emulator. The Central controller needs not to do any change. Below is the description for each module.

Cuckoo Sandbox is a malware analysis system capable to outline the behavior of a malware during its execution. In order to generate such results, Cuckoo performs hooking of a number of selected Windows functions, intercept their calls and after storing the relevant informations and eventually performing additional actions, returns the exection to the original code.

Until now it made use of latest Microsoft Detours Express. Part of the work of this Google Summer of Code was to implement a custom hooking engine to completely replace the old one. The motivations for such change are essentially the following: - Detours implements a single and very simple inline hook, consisting of replacing the first bytes of the functions with a JMP to the new “detouring” function. Consequently it can be very easily detected by just checking for the E9 opcode as following:

I am pleased to announce the next forensic challenge: Forensic Challenge 9 - “Mobile Malware”.

The challenge has been created by by Franck Guenichot from French Chapter, Mahmud Ab Rahman and Ahmad Azizan Idris from Malaysia Chapter and Matt Erasmus from South Africa Chapter.

Submission deadline is September 4th and we will be announcing winners around the third week of September. We have a few small prizes for the top three submissions.

Folks,
the submission deadline for the Forensic Challenge 8 – “Malware Reverse Engineering” - put up by Guido Landi and Angelo Dell’Aera from the Sysenter Chapter - has passed. We have received 6 submissions and will be announcing results on Wed, Aug 31th 2011. The top three submissions will be awarded little prizes.

For your information a new Forensic Challenge will start in a few hours. This time you will be asked to dive into the mobile malware world. Stay tuned!

The GUI tool for static analysis of Android malware is ready for an alpha release. For more details regarding this project, check here.

In the alpha release, the following features have been finished.

(1) Show the CFG (control flow graph) for a given method
(2) Show the smali codes for a given method.
(3) Show the Java codes for a given java file.
(4) Show the betecodes for a given method.
(5) Show all strings, methods and classes.
(6) Show the APK’s related information.
(7) Drag and zoom in/out the CFG.
(8) Modify the content of nodes in the CFG.

The Android application sandbox is now ready for an alpha release. Details on how to get DroidBox running are available at the project webpage.

At the moment, the following actions are logged during runtime:

• File read and write operations
• Cryptography API activity
• Opened network connections
• Outgoing network traffic
• Information leaks through the following sinks: network, file, sms
• Attempts to send SMS
• Phone calls that have been made

An analysis output looks like the following sample report:

For the forthcoming midterm evaluation of Gsoc2011, I made a lot of progress with the code and now I’m about to publish the alpha release. Before the alpha release is released, I have decided to post a blog to inform everyone about the progress of project 6 (Static Analysis of Android Malware).

Our tool is written by PyQt, which is a great interface to Qt for Python. It is very easy to design the UI by Qt Designer. Qt contains lots of libraries to support pretty UI framework. What’s more, Qt supports cross platform applications.

By now, what I have done for Capture-HPC is:

1. 1. Write a Mock Capture Server.

This is to help dubugging and coding the Capture client. According to the message format defined in ealier Capture, the mock server will send an command to client firstly and then keep listening to client’s log.

After the server’s working, we can start the Capture Client. The command is same as the earlier beta, although I updated the client code, which changes the way that invoke an IE process.

The review period is coming and i decided to write an entry to inform about the Webviz project. Till now the first output of the project is a proof of concept work[1] (requires WebGL supported browser, tested on Firefox 5 and Firefox 4, on other browsers i don’t guarantee it works fine).

The figure displays the visualized data. The elevations corresponds to the geograpical malware numbers. The more malware detected the higher peeks are represented with changing color.