Cuckoo Sandbox is a malware analysis system capable to outline the behavior of a malware during its execution. In order to generate such results, Cuckoo performs hooking of a number of selected Windows functions, intercept their calls and after storing the relevant informations and eventually performing additional actions, returns the exection to the original code.

Until now it made use of latest Microsoft Detours Express. Part of the work of this Google Summer of Code was to implement a custom hooking engine to completely replace the old one. The motivations for such change are essentially the following: - Detours implements a single and very simple inline hook, consisting of replacing the first bytes of the functions with a JMP to the new “detouring” function. Consequently it can be very easily detected by just checking for the E9 opcode as following:

The GUI tool for static analysis of Android malware is ready for an alpha release. For more details regarding this project, check here.

In the alpha release, the following features have been finished.

(1) Show the CFG (control flow graph) for a given method
(2) Show the smali codes for a given method.
(3) Show the Java codes for a given java file.
(4) Show the betecodes for a given method.
(5) Show all strings, methods and classes.
(6) Show the APK’s related information.
(7) Drag and zoom in/out the CFG.
(8) Modify the content of nodes in the CFG.

For the forthcoming midterm evaluation of Gsoc2011, I made a lot of progress with the code and now I’m about to publish the alpha release. Before the alpha release is released, I have decided to post a blog to inform everyone about the progress of project 6 (Static Analysis of Android Malware).

Our tool is written by PyQt, which is a great interface to Qt for Python. It is very easy to design the UI by Qt Designer. Qt contains lots of libraries to support pretty UI framework. What’s more, Qt supports cross platform applications.

By now, what I have done for Capture-HPC is:

1. 1. Write a Mock Capture Server.

This is to help dubugging and coding the Capture client. According to the message format defined in ealier Capture, the mock server will send an command to client firstly and then keep listening to client’s log.

After the server’s working, we can start the Capture Client. The command is same as the earlier beta, although I updated the client code, which changes the way that invoke an IE process.

One of the very first Android malwares, Geinimi has been analyzed in the application sandbox DroidBox that is currently being developed. The project is part of GSoC 2011 in collaboration with Honeynet and as a master thesis. The Geinimi application uses DES encryption, and it’s possible to uncrypt statically the content, see picture below.

But it’s very easy to do that because the key is not well hidden, so an approach by using dynamic analysis will be more interesting with complex samples. This first real-world sample analysis was carried out to specifically test the crypto API logging.

Project Description:
Proposed Capture-HPC Description

Capture-HPC is a high-interaction client honeypot that is capable of seeking out and identifying client-side attacks. It identifies these attacks by driving a vulnerable client to open a file or interact with a potentially malicious server. As it processes the data, Capture-HPC monitors the system for unauthorized state changes that indicate a successful attack has occurred. It is regularly used in surveys of malicious websites that launch drive-by-download attacks.

Folks, Google has just announced the accepted projects on the GSoc website. We had an excellent line up of students and proposals this year and were able to accept 12 projects! Thanks for all the students who have applied this year and congratulations to all accepted!

Christian

With GSoC 2011 student applications having been open for the past week, we’ve been having a number of interesting discussions with potential students on both #gsoc2011-honeynet on irc.freenode.net and on our public GSoC mailing list and this summer is already looking to have many exciting project ideas.

Student applications run through to Friday April 8th at 19:00 UTC, so if you are a student interested in participating in GSoC 2011 with the Honeynet Project, please take a look at our GSoC 2011 project ideas and make the most of the remaining time to get involved. We cover a very wide range of projects, tools and technologies, so hopefully there is something available to interest everyone, whatever their experience.

Our annual workshop in Paris got off to the perfect start this weekend when Google went live with the new look GSoC 2011 Melange site and announced which lucky organizations had been accepted as mentoring orgs for GSoC 2011.

The Honeynet Project were delighted to have been successful again this year and to have been accepted as one of 173 organizations who will be mentoring GSoC 2011 student projects this summer! Many thanks go to Google for their continued support for FOSS (particularly the ever supportive Carol), and to all our members and potential students for their interest, support and enthusiasm so far.

23:00 UTC Friday March 11th was the first deadline for Google Summer of Code 2011, and the cut off point for organizations interesting in participating to complete their org application.

I’m very pleased to confirm that the Honeynet Project have once again applied. Whilst we now patiently wait for Google to announce which organizations will be selected to participate on March 18th, interested prospective students can start looking at our our initial GSoC 2011 project ideas and find more information about getting involved with the Honeynet Project and Google Summer of Code 2011 here - including contact details for email and IRC. Please feel free to get in touch if you have any questions or project ideas.