Cuckoo Sandbox is a malware analysis system capable to outline the behavior of a malware during its execution. In order to generate such results, Cuckoo performs hooking of a number of selected Windows functions, intercept their calls and after storing the relevant informations and eventually performing additional actions, returns the exection to the original code.
Until now it made use of latest Microsoft Detours Express. Part of the work of this Google Summer of Code was to implement a custom hooking engine to completely replace the old one.
The GUI tool for static analysis of Android malware is ready for an alpha release. For more details regarding this project, check here.
In the alpha release, the following features have been finished.
(1) Show the CFG (control flow graph) for a given method
(2) Show the smali codes for a given method.
(3) Show the Java codes for a given java file.
(4) Show the betecodes for a given method.
For the forthcoming midterm evaluation of Gsoc2011, I made a lot of progress with the code and now I’m about to publish the alpha release. Before the alpha release is released, I have decided to post a blog to inform everyone about the progress of project 6 (Static Analysis of Android Malware).
Our tool is written by PyQt, which is a great interface to Qt for Python. It is very easy to design the UI by Qt Designer.
By now, what I have done for Capture-HPC is:
Write a Mock Capture Server. This is to help dubugging and coding the Capture client. According to the message format defined in ealier Capture, the mock server will send an command to client firstly and then keep listening to client’s log.
After the server’s working, we can start the Capture Client. The command is same as the earlier beta, although I updated the client code, which changes the way that invoke an IE process.
One of the very first Android malwares, Geinimi has been analyzed in the application sandbox DroidBox that is currently being developed. The project is part of GSoC 2011 in collaboration with Honeynet and as a master thesis. The Geinimi application uses DES encryption, and it’s possible to uncrypt statically the content, see picture below.
But it’s very easy to do that because the key is not well hidden, so an approach by using dynamic analysis will be more interesting with complex samples.
Project Description:
Proposed Capture-HPC Description
Capture-HPC is a high-interaction client honeypot that is capable of seeking out and identifying client-side attacks. It identifies these attacks by driving a vulnerable client to open a file or interact with a potentially malicious server. As it processes the data, Capture-HPC monitors the system for unauthorized state changes that indicate a successful attack has occurred. It is regularly used in surveys of malicious websites that launch drive-by-download attacks.
Folks, Google has just announced the accepted projects on the GSoc website. We had an excellent line up of students and proposals this year and were able to accept 12 projects! Thanks for all the students who have applied this year and congratulations to all accepted!
Christian
With GSoC 2011 student applications having been open for the past week, we’ve been having a number of interesting discussions with potential students on both #gsoc2011-honeynet on irc.freenode.net and on our public GSoC mailing list and this summer is already looking to have many exciting project ideas.
Student applications run through to Friday April 8th at 19:00 UTC, so if you are a student interested in participating in GSoC 2011 with the Honeynet Project, please take a look at our GSoC 2011 project ideas and make the most of the remaining time to get involved.
Our annual workshop in Paris got off to the perfect start this weekend when Google went live with the new look GSoC 2011 Melange site and announced which lucky organizations had been accepted as mentoring orgs for GSoC 2011.
The Honeynet Project were delighted to have been successful again this year and to have been accepted as one of 173 organizations who will be mentoring GSoC 2011 student projects this summer!
23:00 UTC Friday March 11th was the first deadline for Google Summer of Code 2011, and the cut off point for organizations interesting in participating to complete their org application.
I’m very pleased to confirm that the Honeynet Project have once again applied. Whilst we now patiently wait for Google to announce which organizations will be selected to participate on March 18th, interested prospective students can start looking at our our initial GSoC 2011 project ideas and find more information about getting involved with the Honeynet Project and Google Summer of Code 2011 here - including contact details for email and IRC.