To learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned.

Blogs

DroidBox: beta release

Beta version is out and the install instructions are available at the project webpage. The new features are:

  • Prevent some emulator evasion techniques
  • Added visualization of analysis results
  • Automated app installation and execution
  • Displaying analysis information about the APK
  • Static pre-check extracts the app's registered Intents

The following figures show the new visualization added to the beta version.

DroidBox treemapDroidBox behavior graph

Forensic Challenge 9 - "Mobile Malware" - Deadline Extended

Taking a look at the small number of submissions we received it seems like August is a perfect month for the seaside but not for a Forensic Challenge. For this reason we decided to extend the submission deadline to September 30th. The submissions received before the old deadline (September 4th) will be granted a few extra bonus points.

Have fun!

Angelo Dell'Aera
The Honeynet Project

Forensic Challenge 8 – “Malware Reverse Engineering” - And the winners are...

Folks,
Guido and I have judged all submissions and results have been posted on the challenge web site. The winners are:

1. Lutz Schildt
2. Sebastian Eschweiler
3. Luka Milković

This was one of the most difficult challenges we ever proposed so really congratulations to the winners and thanks to the other partecipants!

Angelo Dell'Aera
The Honeynet Project

Beta release of libemu qemu extension

As part of this year’s Summer of Code, I programmed an extension for the shellcode detection and analysis library libemu. The main goal of the project was to increase the performance when executing shellcode, with the help of a virtualizer. Prior to this extension, libemu made use of a custom emulator, which supported only instructions mostly used in shellcode. With this extension, libemu utilizes a full-blown, completely functioning virtualizer, which executes code presumably the same way a real CPU does.

HoneyViz demo is out for your viewing pleasure

We've set up a demonstration site for HoneyViz (Project #3) at

http://50.16.162.188:6174/

APKInspector BETA Release & Demo Video

As the deadline of GSOC has passed, I would like to announce the APKinspector Beta1.0. APKinspector is a tool to help Android application analysts and reverse engineers to analyze the compiled Android packages and their corresponding codes. You can review the Alpha version report and the page of this project to know more about it.

Click the picture below to watch a full demonstration video of APKInspector:

APKInspector Demo Video

Chinese viewers may view the demo at: http://v.youku.com/v_show/id_XMjk3ODAwMzU2.html

Based on the Alpha release, APKinspector has added some features as follows:

AxMock is released for your review

We build up a project in google code, you can browse AxMock by the link
http://code.google.com/p/axmock

AxMock is a detection tool for malicious webpage attacking ActiveX controls. It runs in Internet Explorer 7 and the formal version.

It is tested in Visual Studio 2008 and Python 2.6 with pywin32 package, though I believe that you can also compile it in later version.

For more using information, please check out Wiki in my project google code page.

Webviz is out for your reviews

While the "pencil down" date is approaching, i would like to announce the latest situation at Webviz project. From the last time till time, there have been some changes at the visualization:

* The size of the visualization increased
* A better map is located as base map
* Mesh working principle is changed from country based to IP based. The returning database results are grouped by IP.
* Legends are detailed
* For a better distributed results, an IP set that is collected for a long period is also added to the database.

The latest result is as below:

Webviz Preview

Implementation: the whole hooking and some modules

The whole implementation is mainly consisted of 4 modules: central controller, emulator, dummy control and list. Central controller is a dynamic link library written in C++. Emulator and dummy control are COM components written in python and registered into registry by win32com.server.register.UseCommandLine. List is a text file in a certain format to read and modify.

cHook - The new CuckooBox Hooking Engine

Cuckoo Sandbox is a malware analysis system capable to outline the
behavior of a malware during its execution.
In order to generate such results, Cuckoo performs hooking of a number
of selected Windows functions, intercept their calls and after storing
the relevant informations and eventually performing additional actions,
returns the exection to the original code.

Until now it made use of latest Microsoft Detours Express. Part of the
work of this Google Summer of Code was to implement a custom hooking
engine to completely replace the old one.

Syndicate content