Installing and hardening the latest Cuckoo Sandbox on Gentoo Linux

Following article covers installation and hardening of the latest (Git) Cuckoo Sandbox version. There are few articles about setting up Cuckoo on Ubuntu/Debian, I had no luck however to find one describing this process on Gentoo.

There is no guide about hardening latest (0.6+) Cuckoo as well. Guide for 0.5 doesn’t work anymore, because latest cuckoomon.dll uses different communication format and it will not report any information during analysis.

Gentoo is not officially supported, it is possible however to make Cuckoo Sandbox run ‘almost’ flawlessly on it. I’m using ‘test’ package set (~amd64) so if you’re on stable, you will have to set proper keywords for Cuckoo dependencies – 0.6+ needs latest versions. Most dependencies can be found in Portage already.

Installing Cuckoo

Let’s start with following set:

$ emerge -av dev-python/sqlalchemy dev-python/dpkt dev-python/jinja dev-python/bottle net-analyzer/tcpdump

Now it’s time for Ssdeep. Ebuild can be found on Gentoo Bugzilla. Download latest one and place it in your local overlay (f. e. /usr/local/portage/app-forensics/ssdeep). You’ll also need Python bindings for Ssdeep, ebuild can be found here (place it in your local overlay, f. e. /usr/local/portage/dev-python/pyssdeep). You have to create a digest files for them as well. When it’s done, you are ready to install Ssdeep:

$ emerge -av app-forensics/ssdeep dev-python/pyssdeep

Unfortunately I had no luck with making Cuckoo use Ssdeep, both Ssdeep and PySsdeep work fine when executed manually, no hash however is included in Cuckoo report.

Gentoo Portage also miss Yara ebuilds. Ebuild for Yara can be found here (place it in your local overlay, f. e. /usr/local/portage/app-forensics/yara) and for Yara Python bindings here (place it in your local overlay, f. e. /usr/local/portage/dev-python/yara-python). Now you’re ready to install Yara:

$ emerge -av app-forensics/yara dev-python/yara-python

Depending on which virtualization platform you prefer, proper packages have to be installed. I’m going to use VirtualBox:

$ emerge -av app-emulation/virtualbox app-emulation/virtualbox-modules app-emulation/virtualbox-additions app-emulation/virtualbox-extpack-oracle

Time to give tcpdump some capabilities, so normal users without root privileges can use it.

$ setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
$ getcap /usr/sbin/tcpdump

getcap will list all capabilities set for tcpdump. You can run setcap each time system is rebooted, or you can create a init script and do it on system boot:

$ echo "/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip" >> /etc/local.d/setcap-tcpdump.start
$ chmod +x /etc/local.d/setcap-tcpdump.start

Next step is creating user account for Cuckoo:

$ useradd -c Cuckoo -G vboxusers -m -s /bin/bash -U cuckoo

There are quite a few supported databases, I’m going to use MariaDB (fork of MySQL).  You’ll need proper support for it in Python:

$ emerge -av dev-python/mysql-python

You have to create a new database as well:

$ mysql -u root -p
MariaDB [(none)]> create database cuckoo;
MariaDB [(none)]> grant all privileges on cuckoo.* to cuckoo@localhost identified by 'cuck00pass' ;
MariaDB [(none)]> flush privileges;
MariaDB [(none)]> quit;

Where ‘cuckoo’ in ‘cuckoo@localhost’ is username which you created for Cuckoo, and ‘localhost’ is the host on which it will be running (in most cases it’s ‘localhost’, except when DB is running on different machine than Cuckoo). ‘cuck00pass’ is password used by Cuckoo to access database.

Time for Cuckoo. If you don’t have Git on your system, install it:

$ emerge -av dev-vcs/git

Cuckoo installation:

$ su cuckoo
$ cd
$ git clone git://github.com/cuckoobox/cuckoo.git

The above commands will place the Cuckoo in your Cuckoo user’s home directory. If you want to use different destination, just provide the proper path after cd.

Configuration is rather simple, you can follow the official guide to set up your Cuckoo. Remember to apply configuration for MariaDB, if you want to use it – it’s the same as for MySQL and it’s described in the official guide.

Now you have to create a virtual machine with OS which will be used to test malware. If you’re going to use Cuckoo in your company, probably the best choice is to use default build installed on workstations and servers. You can of course create as many VMs as you want, and you can run the same malware on all of them to check which of them are vulnerable. The official guide covers the process nicely, so I’m not going to describe it here. Just remember to run VirtualBox from your Cuckoo user, f. e. in KDE you can use kdesu:

$ kdesu -u cuckoo -c VirtualBox

Remember as well to use ‘host-only’ network and to not install the guest additions – they’re not needed and will make more difficult to detect the sandbox by malware. If you’re looking for latest Python 2.x for Windows, you can find it here, and the latest PIL for Python 2.x (Python Imaging Library – required for screenshots) can be found here.

Host-only networking in VirtualBox requires some iptables rules to be added (simple masquerade). I’m using the default VirtualBox settings for host-only network:

$ iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
$ iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$ iptables -A POSTROUTING -t nat -j MASQUERADE
$ /etc/init.d/iptables save

Remember to add iptables to default runlevel, if you don’t have it there already. You also have to enable ‘ipv4.ip_forward’ in /etc/sysctl.conf.

At this point your basic Cuckoo environment is ready. To run it, log in as Cuckoo user, go to ~/cuckoo directory and execute the following:

$ python ./cuckoo.py

On the other terminal (consider using screen tool) log in once again as Cuckoo user, go to the same directory and execute:

$ python ./utils/web.py

Now you can open your preferred Web Browser and go to http://localhost:8080/ – from this Web interface you can submit samples for analysis and browse analysis results. There’s also Python app called submit.py placed in cuckoo/utils folder, which you can use to submit samples.

There’s one more thing you should know at this point – setting up host-only networking in VirtualBox makes Cuckoo fail to launch after reboot. This is caused by Cuckoo binding to not configured vboxnet0 interface. To bypass this, use VBoxManage to set the vboxnet0 IP address before launching Cuckoo or create a shell script which will do that for you:

$ vim ~/cuckoo/start-cuckoo.sh

and place the following lines in it:

#!/bin/bash
VBoxManage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1
./cuckoo.py

Your Cuckoo Sandbox is ready to use, now it’s time to proceed to next step and apply some hardening, preventing malware from detecting the sandbox.

Hardening Cuckoomon

First thing you will need is an a0rtega’s tool called pafish (Paranoid Fish). Download it on your host OS (in my case Gentoo Linux) from Git repository:

$ git clone https://github.com/a0rtega/pafish.git

To test if hardening works, submit pafish.exe just like any malware sample, using Cuckoo Web UI or submit.py. If you’re going to do that right now, you’ll see that your sandbox can be easily detected by malware.

There are probably more ways to avoid detection – I’m going to modify hooks, just like it was described in a0rtega’s post on AlienVault Labs Blog, but I will apply his method on latest cuckoomon sources – his patched dll and patch itself doesn’t work with 0.6+.

You can download my patched dll here or proceed and create one on your own – which can be useful when new Cuckoo will be released and current dll will not work anymore.

First you’ll need environment capable for building Windows 32-bit binaries. You can use any Windows host with MinGW32 bundle, or you can use your Gentoo (or any other Linux). If you choose the second option, here’s what you have to do.

Start with installing Gentoo Cross-toolchain generator:

$ emerge -av sys-devel/crossdev

To compile 32-bit Windows binaries you’ll need 32-bit MinGW:

$ crossdev -t i686-pc-mingw32

Now it’s time to get the cuckoomon sources. Unfortunately getting the exact version of Cuckoomon sources used by latest Cuckoo Sandbox is not possible (asked on Community page, no answer given…). By testing all public Cuckoomon Git branches I found that ‘netlog’ branch works quite nice, even while it sometimes drops some errors. You can download latest ‘netlog’ branch from here or use git command on your Linux box:

$ mkdir netlog
$ cd netlog/
$ git init
$ git remote add -t netlog -f origin https://github.com/cuckoobox/cuckoomon.git
$ git checkout netlog

Patch for version 0.6 is very similar to the original one created by a0rtega and you can find it here.

To patch the sources, go to netlog/ directory and execute:

$ patch -p1 < /path/to/cuckoomon-netlog-0.6_hardening.patch

Finally, build the patched cuckoomon.dll and replace the original dll with it:

$ make
$ cp cuckoomon.dll /path/to/cuckoo/analyzer/windows/dll/cuckoomon.dll
$ chown cuckoo:cuckoo /path/to/cuckoo/analyzer/windows/dll/cuckoomon.dll
$ chmod -x /path/to/cuckoo/analyzer/windows/dll/cuckoomon.dll

Done! You don’t have to restart Cuckoo, simply upload pafish.exe for analysis and you’ll find that VirtualBox specific tests will not detect the sandbox.

I hope that this post will help you setup Cuckoo without any major issues. If you have any questions, please post them below.

5 opinions on “Installing and hardening the latest Cuckoo Sandbox on Gentoo Linux”

  1. Thanks for the detailed steps here
    I’ve successfully set up cuckoo and change cuckoomon with yours
    Howevere, pafish can still detect that it runs on a virtualbox since the “videoBiosVersion” value has been traced !
    any idea how this can be fixed ?
    And Could you please tell me how can I write the commands in “Hardening cuckoomon” section using Ubuntu ? Since I want to use it instead of using gentoo .. What the commands that I have to change ?

  2. Hi Hubert,
    I very much appreciate you taking the time to write this guide as it made my life a lot easier trying to harden virtualbox/cuckoo.

    I too experience the same problem where videoBiosVersion was traced by pafish. Im running the latest v0.6 and it seems to throw an exception. Not sure if that is related.

    —————————-

    Exception happened during processing of request from (‘192.168.1.39’, 49167)
    Traceback (most recent call last):
    File “/usr/lib/python2.7/SocketServer.py”, line 593, in process_request_thread
    self.finish_request(request, client_address)
    File “/usr/lib/python2.7/SocketServer.py”, line 334, in finish_request
    self.RequestHandlerClass(request, client_address, self)
    File “/usr/lib/python2.7/SocketServer.py”, line 649, in __init__
    self.handle()
    File “/sbin/cuckoo/lib/cuckoo/core/resultserver.py”, line 176, in handle
    r = self.protocol.read_next_message()
    File “/sbin/cuckoo/lib/cuckoo/common/netlog.py”, line 72, in read_next_message
    vmtime = datetime.datetime.fromtimestamp(vmtimeunix)
    ValueError: timestamp out of range for platform time_t
    —————————-

    Once again, thanks for your fanstastic effort on this.

  3. Thanks for the article. Nicely put. Just want to point out. I am running a Cuckoo 0.6 and I’ve noticed, when i replace the cuckoomon.dll on my box it kills the URL replay functionality. IE crashes every time you submit a URL to the sendbox. Took me a wile to figure out, because i was still testing this functionality, but it turns out it’s the modified dll. As soon as i replaced it with the original it works like a charm.
    I am running it on Ubuntu 12.4 and also see the same detection for video drivers as Sara.
    Does the URL replay function works for you with your modified dll?

Leave a Reply

Your email address will not be published. Required fields are marked *

Blue Captcha Image
Refresh

*