Sunday 29 October 2017

Cuckoo Sandbox - Tool Analisa Malware / Virus


Menganalisa aktivitas malware atau virus bukanlah kegiatan yang bisa diketahui laporan/hasil analisanya dalam semenit atau dua menit saja. Membutuhkan waktu cukup lama untuk virus-virus tertentu, misal: virus yang memanipulasi setiap file di komputer atau di flashdisk; virus yang memiliki mode 'sleep' atau 'anti debugger', tentu memakan waktu dalam menganalisanya.

Itu kalau 1 virus, bagaimana kalau virusnya banyak?
Kalikan saja jumlah virus dan jumlah waktu menganalisa per 1 buah/file virus.
Tentunya akan memakan waktu yang tidak sedikit.

Oleh karena hal tersebut di atas, kami mencoba membuat sistem analisa virus yang otomatis, menggunakan Cuckoo Sandbox. Tapi bukan berarti dengan menggunakan Cuckoo maka semua virus bisa dianalisa. Karena jika berhadapan dengan virus anti debugger yang mengenali environment Cuckoo, maka akan sulit juga menganalisanya, atau virus yang memiliki mode sleep itu tadi.


Cuckoo Sandbox adalah Automated Malware Analysis yang bersifat opensource, sehingga banyak diterapkan di web-web jasa upload sample virus, misalnya VirusTotal seperti yang ada dalam blognya, "VirusTotal runs a distributed setup of Cuckoo sandbox machines that execute the files we receive.", sumber dari https://www.virustotal.com/en/documentation/private-api/

Meski demikian, hingga artikel ini saya tulis, saya kesulitan menemukan tutorial atau diskusi mengenai installasi Cuckoo dalam bahasa Indonesia, jika pun ada, itu hasil terjemah dari tutorial bahasa non Indonesia. Kendati demikian, ada dua orang Indonesia yang membuat buku tentang installasi Cuckoo, itu pun bahasa Inggris.
Oleh karenanya, saya baru berhasil menjalankan Cuckoo agar memberi laporan hasil analisa virus yang diupload berkisar 1 bulan lamanya. Mulai dari installasi sistem operasi Linux Ubuntu 16.04 LTS 64bit; HD 500GB; RAM 4GB; download serbaneka hal-hal yang diperlukan untuk peralatan Lab. Analisa Virus Otomatis Cuckoo; sinkronasi Cuckoo dengan VirtualBox; sharing folder dan ping ke VirtualBox atau sebaliknya; agent.py; sudo; ifconfig, dan segala macam command-command yang harus dimasukkan pada Terminal/Command untuk installasi Cuckoo Sandbox ini.
Meski demikian, ada juga Cuckoo versi modifikasi yang dapat mempermudah kita menginstall keperluan Cuckoo hanya dengan beberapa perintah di Terminal, tapi entahlah masih bisa diterapkan atau tidak, karena versi Cuckoonya sudah berbeda.


Tak sampai di sini, setelah selesai menginstall sehingga Cuckoo Sandbox 2.0.4 (06 September 2017) siap dioperasikan, ternyata RAM 4GB yang saya gunakan ini masih belum optimal saat Cuckoo melakukan proses analisa virus yang diupload, dan berakibat komputer menjadi hang atau crash, sehingga harus dimatikan paksa.
Sesuai dengan fitur yang ditawarkan, tak heran jika memory yang diperlukan Cuckoo juga bukan main-main.

Dengan pengalaman di atas, kurang greget rasanya kalau kita install aplikasi hanya dengan tinggal klak-klik Next, Next, Finish. Maka agar lebih greget, coba sesekali install Cuckoo atau aplikasi framework Automated Malware Analysis yang lainnya.

Youtube: https://www.youtube.com/watch?v=gCTGXEmhY6M

Official Website Cuckoo: https://cuckoosandbox.org

Blog Cuckoo Sandbox 2.0.4 : https://cuckoosandbox.org/blog/cuckoo-sandbox-204

Progress Installing Cuckoo: 4 Oktober 2017 - 28 Oktober 2017

----
My Config:
1. virtualbox.conf:
[virtualbox]
# Specify which VirtualBox mode you want to run your machines on.
# Can be "gui" or "headless". Please refer to VirtualBox's official
# documentation to understand the differences.
mode = headless

# Path to the local installation of the VBoxManage utility.
path = /usr/bin/VBoxManage
# If you are running Cuckoo on Mac OS X you have to change the path as follows:
# path = /Applications/VirtualBox.app/Contents/MacOS/VBoxManage

# Default network interface.
interface = vboxnet0

# Specify a comma-separated list of available machines to be used. For each
# specified ID you have to define a dedicated section containing the details
# on the respective machine. (E.g. cuckoo1,cuckoo2,cuckoo3)
machines = cuckoo1


[cuckoo1]
# Specify the label name of the current machine as specified in your
# VirtualBox configuration.
label = cuckoo1

# Specify the operating system platform used by current machine
# [windows/darwin/linux].
platform = windows

# Specify the IP address of the current virtual machine. Make sure that the
# IP address is valid and that the host machine is able to reach it. If not,
# the analysis will fail.
ip = 192.168.56.101

# (Optional) Specify the snapshot name to use. If you do not specify a snapshot
# name, the VirtualBox MachineManager will use the current snapshot.
# Example (Snapshot1 is the snapshot name):
snapshot = Snapshot 1

# (Optional) Specify the name of the network interface that should be used
# when dumping network traffic from this machine with tcpdump. If specified,
# overrides the default interface specified in auxiliary.conf
# Example (vboxnet0 is the interface name):
interface =

# (Optional) Specify the IP of the Result Server, as your virtual machine sees it.
# The Result Server will always bind to the address and port specified in cuckoo.conf,
# however you could set up your virtual network to use NAT/PAT, so you can specify here
# the IP address for the Result Server as your machine sees it. If you don't specify an
# address here, the machine will use the default value from cuckoo.conf.
# NOTE: if you set this option you have to set result server IP to 0.0.0.0 in cuckoo.conf.
# Example:
resultserver_ip =

# (Optional) Specify the port for the Result Server, as your virtual machine sees it.
# The Result Server will always bind to the address and port specified in cuckoo.conf,
# however you could set up your virtual network to use NAT/PAT, so you can specify here
# the port for the Result Server as your machine sees it. If you don't specify a port
# here, the machine will use the default value from cuckoo.conf.
# Example:
resultserver_port =

# (Optional) Set your own tags. These are comma separated and help to identify
# specific VMs. You can run samples on VMs with tag you require.
tags =

# Mostly unused for now. Please don't fill it out.
options =

# (Optional) Specify the OS profile to be used by volatility for this
# virtual machine. This will override the guest_profile variable in
# memory.conf which solves the problem of having multiple types of VMs
# and properly determining which profile to use.
osprofile =


[honeyd]
# For more information on this VM please refer to the "services" section of
# the conf/auxiliary.conf configuration file. This machine is a bit special
# in the way that its used as an additional VM for an analysis.
# *NOTE* that if this functionality is used, the VM should be registered in
# the "machines" list in the beginning of this file.
label = honeyd
platform = linux
ip = 192.168.56.102
# The tags should at least contain "service" and the name of this service.
# This way the services auxiliary module knows how to find this particular VM.
tags = service, honeyd
# Not all services actually have a Cuckoo Agent running in the VM, for those
# services one can specify the "noagent" option so Cuckoo will just wait until
# the end of the analysis instead of trying to connect to the non-existing
# Cuckoo Agent. We can't really intercept any inter-VM communication from the
# host / gateway so in order to dump traffic between VMs we have to use a
# different network dumping approach. For this machine we use the "nictrace"
# functionality from VirtualBox (which is basically their internal tcpdump)
# and thus properly dumps inter-VM traffic.
options = nictrace noagent

----

This many of tutorial I used to build Cuckoo Sandbox system:
1. https://medium.com/@warunikaamali/cuckoo-sandbox-installation-guide-d7a09bd4ee1f
2. https://forums.virtualbox.org/viewtopic.php?f=8&t=34396
3. http://securityscrapbook.com/2016/12/17/cuckoo-sandbox-installation-configuration-guide/
4. https://eugenekolo.com/blog/installing-and-setting-up-cuckoo-sandbox/
5. https://www.proteansec.com/linux/installing-using-cuckoo-malware-analysis-sandbox/
6. https://bdavis-cybersecurity.blogspot.co.id/2016/11/cuckoo-sandbox-installation-part-1.html?m=1
7. https://secvision22.wordpress.com/2016/11/21/installing-and-running-cuckoo-malware-analysis-platform-part-1/
8. https://www.talentcookie.com/2015/03/simple-steps-to-setup-cuckoo-sandbox-in-ubuntu/
9. http://www.behindthefirewalls.com/2013/07/how-to-install-cuckoo-sandbox-on-ubuntu.html?m=1
10. https://www.packtpub.com/mapt/book/hardware_and_creative/9781782169239/1/ch01lvl1sec12/installing-cuckoo-sandbox
11. http://hacktr.org/2014/11/12/cuckoo-sandbox-installation/
12. https://umbrella.cisco.com/blog/2015/06/16/deploy-your-own-cuckoo-sandbox/
13. https://techanarchy.net/lab/cuckoo-esxi/
14. http://www.rffuste.com/2017/07/11/cuckoo-sandbox-install-guideline-preparing-the-host-12/
15. https://cuckoo.sh/docs/installation/host/requirements.html
16. https://www.youtube.com/watch?v=Y34uvi8-e18&t=53s
17. https://www.youtube.com/watch?v=OzNMkR6yaJ0&t=1733s


Hope this help you....