If you’re an IT Security researcher and you’d like to know how a particular malware works and what it does on infected machine, or maybe you just have a sample which you suspect to be malicious – you probably need a Sandbox.
In this article I’d like to cover less technical aspects, very important however for a person which have to choose the best solution for him or a company for which he’s working.
Let’s divide Sandboxes into 2 types:
Online Sandboxes are hosted outside of your environment by external organization. You cannot modify it’s settings to suit it to your needs – you get the interface to submit the file (most often a Web interface) and a final report from malware execution. You don’t have to bother yourself with Sandbox maintenance – it works instantly when you need it. At least in theory.
Standalone Sandboxes are totally maintained by you. You need a dedicated machine or a virtual appliance (with possibility to run another virtual machine on it), you have to install, configure and update your installment and – most important – you can customize it however you want, for example you can create testing environment based on different Windows versions or you can use your default company build to see how well it is protected from particular threat. You have to however keep in mind that during one of those updates something can break.
If you are a private researcher most likely you don’t have thousands of dollars to purchase a commercial product. Don’t worry – there are plenty of free to use and/or open source solutions out there. Let’s have a quick review.
Tested Sandbox solutions
Commonly used Online solutions are:
- ThreatTrack ThreatAnalyzer,
- CWSandbox (not updated since April 2010),
- Malbox (not updated since May 2011, developers site not accessible anymore).
Commonly used Standalone solutions are:
- ReVirt (not updated since June 2003),
- Minibis (not updated since June 2011),
- Zero Wine Tryout,
- Truman (not updated since January 2006),
- BitBlaze (not updated since September 2009).
When you are looking for the best solution which will suit most of your needs, few questions have to be asked: Will the solution be available when I’ll need it? Is the solution still developed? Will I get a proper support? And finally: What information returned from Sandbox after analysis is most important for me?
Our choices are related to many factors – not only our personal preferences count, but also target environment, available resources, already implemented solutions, etc. Different will be the choice made by freelancer from the one made by security staff in a company, especially if it’s a large one with very restrictive policies. Questions mentioned above are very basic, many other things should be considered After spending couple of hours trying to find out what exactly do I need, I’ve written down some criteria which helped me take the choice. Let me shortly introduce you what I found to be best for me and what led to this choice.
I’ve chosen Cuckoo. But not only. Cuckoo is still a very young solution, sometimes problems occur, especially when it comes to generating report containing some foreign language characters – it drops number of errors and fails, at least in my environment. When Cuckoo doesn’t behave as expected, it’s good to have something else – like Anubis, or ThreatExpert.
Let my explain you why.
First of all – it’s an open source software and it runs on Linux. It can be configured to satisfy almost all needs and it can even work as an Online solution (check Malwr, it’s based on Cuckoo). It’s actively developed and has a good support from developers and community. You can create as many testing environments as you want and test any file or URL which can be opened within tested environment. Beside that, Cuckoo offers:
- Generating variety of hashes (not available in Sandboxie directly, provided by Buster which is based on it),
- After some extra configuration (modifying agent) it prevents malware from detected sandboxed environment (try achieving this with Zero Wine Tryouts…),
- Checking detection score in VirusTotal (not available in Anubis, Comodo, ThreatExpert, Sandboxie, Buster or Zero Wine Tryouts),
- Listing accessed/modified files,
- Listing accessed/modified registry keys,
- Listing full execution trace (like you’d get from debugger) for executable files launched by malware,
- Analyzing network traffic (simple DNS and IP listing + pcap file for analysis in external tool, like f.e. Wireshark),
- Creating memory dump, which can be further analyzed using f.e. Volatility Framework (obviously not possible for Online tools),
- Can be fully controlled during malware execution process (obviously not possible for Online tools),
- Extracting files created by malware,
- Generates detailed and clear report in HTML (only Anubis created one I liked more),
- It can be easily automated.
“And how it scores when it comes to detection?” – you may ask. Take a look at Open-Source Security Tools Blog, where Malwr.com, which is based on Cuckoo is compered with Anubis, MWAnalysis (CWSandbox) and ThreatExpert. It shines among them.
That’s it. I’m using Cuckoo on daily basis, always keep it updated to the latest version from Git repository and it does the job nicely. In few upcoming articles I’ll cover installation process on Gentoo Linux, hardening and I’ll show you how malware analysis using Cuckoo looks.
If you have any questions or comments feel free to leave them below, I’ll answer as best I can.