I’m a Cuckoo user for a long time therefore it was a good opportunity to read the book “Cuckoo Malware Analysis” and write a quick review (The book is published by Packt Publishing). For the readers who don’t know what Cuckoo is, here is a brief introduction…
Malwares are a real pain today! Just by visiting a website or by opening a file attached to an email, you can infect your computer with a malware which will turn in into a bot, steal sensitive information or used it as a pivot to conduct a deeper attack. To learn how those malicious pieces of code are working, they must be analysed: That’s the job of malware analysts. Malware analysis can be performed in two different ways. The first one is called “static analysis“. It is based on actions like scanning the program with antivirus solutions, searching for interesting strings, dumping the code in an hexadecimal viewer, unpacking the code and disassembling the software. The opposite is called “dynamic“, “live” or “behavioral” analysis. In this case, the goal is too look how the malware behaves and what changes are made on the infected system (process & files creation, registry, network connections, etc). This type of analysis must be performed in a safe environment not connected to any other system and that could be quickly restored. Cuckoo is a project initiated by Claudio Guarnieri which helps to setup an environment to perform behavioral analysis of malwares. If you’re interested in this topic, the Internet is full of documents, here is a good one provided by SANS: Malware Analysis Introduction.
The book guides you step by step to setup your own Cuckoo environment. The first chapter is an introduction to malware analysis and how’s working Cuckoo: the mechanism of sandboxing is explained. Then a standard Cuckoo installation is described: hardware requirements, preparing the host OS, the required Python modules. A key step is the preparation of the Guest OS (the sandbox) which must be properly configured to execute the malware and communicate safely with the host OS (to capture the network traffic and events while the malware is running). Cuckoo can be installed on most Linux instances and supports different supervisors but the author recommends to use Ubuntu 12.04LTS with VirtualBox 4.2.16. I sugguest to follow him because the setup might quickly become a nightmare if you are using more “exotic” environments.
The next chapter covers your first malware analysis. How to submit a task to Cuckoo and how to analyze the results. Once the analysis done, the author reviews all the data produced by Cuckoo: the log files, the reports, screenshots and dumps. Different examples of malicious files are reviewed (a PDF file, a PE file, a Word document, an URL). All those types of data can be analyzed easily in the sandbox. A good point for the introduction about Volatility and how to perform additional memory forencis.
The chapters three and four focus on analyzing the output produced by a Cuckoo sandbox and reporting. Based on a APT scenario, other tools are presented by the author like Yara or Bokken to improve your lab. Then the reporting modules of Cuckoo are reviewed. Human readable reports can be generated or specific ones to exchange information with other tools or finally the “MAEC” format (“Malware Attribute Enumeration and Characterization“).
The last chapter give tips & tricks to optimize and improve your Cuckoo environment. Modern malwares implement techniques to detect virtualized environment and behave differently when running in a sandbox. This chapter explains how to harden your lab against VM detection. I was pleasantly surprised to read in this chapter a small presentation of my project called CuckooMX. Thanks to the authors, Digit Oktavianto and Iqbal Muhardianto, for the reference!
If your plans are to dive into malware analysis, this book is a great starting point. They are very powerful commercial solutions but, as usual, they are quite expensive and Cuckoo is a really nice alternative to start from zero. If a new release or an “advanced” version of this book should be published, I would add two topics:
- Building custom signatures (this is great feature!)
- Scalability (how to improve mass analyzis)
My last remark: the book is an introdcution to Cuckoo and not to malware analysis. Cuckoo is just a tool, it helps to digest a lot of information but, in most cases, a human must still analyze and understand them!