tag:blogger.com,1999:blog-33436932394559680462013-06-17T23:16:47.963+02:00Michael BomanApplication Vulnerability and Malicious Code HunterMichael Bomanhttps://plus.google.com/104022164521410375587noreply@blogger.comBlogger239125tag:blogger.com,1999:blog-3343693239455968046.post-64848442870739394942013-06-17T23:16:00.000+02:002013-06-17T23:16:47.984+02:002013-06-17T23:16:47.984+02:00Cuckoo Sandbox on Hardware: Installing the OS and required guest utils on the hardware nodeThis is the second blog post about running Cuckoo Sandbox on hardware nodes instead of virtual machines, and thus removing the whole "prevent detection of virtual machine" issue that malware authors creates when trying to avoid detection. The drawback is the number of samples a single machine can analyze.<br />
<br />
Previously I walked through the steps on how to install FOG server in a OpenVZ environment. In this post I will walk through the steps of preparing the computer so you can restore it to a known state. For practical reasons I am using a virtual machine to document this, but the steps are exactly the same I use for my hardware node (apart from hard drive size).<br />
<h2>
Installing the OS</h2>
For this hardware node I am using Windows 7 Enterprise as the target OS, but you can use any OS supported by both FOG Project and Cuckoo Sandbox (Basically any modern Windows OS).<br />
<br />
First we choose the language and keyboard layout.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-QLcLdmJq2oQ/Ub9Yf8ukTGI/AAAAAAAALb0/8MFz1CzuHmA/s1600/Screenshot+from+2013-06-16+23:50:49.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://1.bp.blogspot.com/-QLcLdmJq2oQ/Ub9Yf8ukTGI/AAAAAAAALb0/8MFz1CzuHmA/s640/Screenshot+from+2013-06-16+23:50:49.png" width="640" /></a></div>
<br />
Choose "Install now".<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-A6mKT1UjqkQ/Ub9YgQwstJI/AAAAAAAALb4/TkTdj8zMZKA/s1600/Screenshot+from+2013-06-16+23:51:12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://1.bp.blogspot.com/-A6mKT1UjqkQ/Ub9YgQwstJI/AAAAAAAALb4/TkTdj8zMZKA/s640/Screenshot+from+2013-06-16+23:51:12.png" width="640" /></a></div>
<br />
Setup is starting<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-R9FT-_L-Ncs/Ub9Yg_KikII/AAAAAAAALb8/HhMMDGffUiM/s1600/Screenshot+from+2013-06-16+23:51:27.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://3.bp.blogspot.com/-R9FT-_L-Ncs/Ub9Yg_KikII/AAAAAAAALb8/HhMMDGffUiM/s640/Screenshot+from+2013-06-16+23:51:27.png" width="640" /></a></div>
<br />
Accept the license agreement. I have access to a enterprise license for Windows 7, thanks to a anonymous sponsor.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-M-_uDbwuCEM/Ub9YhEml2TI/AAAAAAAALcE/nPLgV_rekMY/s1600/Screenshot+from+2013-06-16+23:51:48.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://3.bp.blogspot.com/-M-_uDbwuCEM/Ub9YhEml2TI/AAAAAAAALcE/nPLgV_rekMY/s640/Screenshot+from+2013-06-16+23:51:48.png" width="640" /></a></div>
<br />
Choose "Custom (advanced)".<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-BCwRJEWNDQA/Ub9Yhv0LD3I/AAAAAAAALcQ/hpow-rUFFFU/s1600/Screenshot+from+2013-06-16+23:52:18.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="516" src="http://4.bp.blogspot.com/-BCwRJEWNDQA/Ub9Yhv0LD3I/AAAAAAAALcQ/hpow-rUFFFU/s640/Screenshot+from+2013-06-16+23:52:18.png" width="640" /></a></div>
<br />
Select your disk and click on "Drive options (advanced)" to view the advanced disk menu items.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-PWBh40oFXLc/Ub9Yh_0FZxI/AAAAAAAALcU/dhcHp3L6MnM/s1600/Screenshot+from+2013-06-16+23:52:36.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://3.bp.blogspot.com/-PWBh40oFXLc/Ub9Yh_0FZxI/AAAAAAAALcU/dhcHp3L6MnM/s640/Screenshot+from+2013-06-16+23:52:36.png" width="640" /></a></div>
<br />
Create a new partition that fills up the disk (you can choose to create a smaller partition then the whole disk if you want. If your FOG Server is low on disk space it might be a good idea to do so.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-iwgXor0CTfs/Ub9YifjP3SI/AAAAAAAALcc/l1YvPg6Kt8A/s1600/Screenshot+from+2013-06-16+23:53:17.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://1.bp.blogspot.com/-iwgXor0CTfs/Ub9YifjP3SI/AAAAAAAALcc/l1YvPg6Kt8A/s640/Screenshot+from+2013-06-16+23:53:17.png" width="640" /></a></div>
<br />
Windows installation is copying files to the hard drive.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-E7S7N-xz9Pk/Ub9YjfFZGdI/AAAAAAAALcw/4_Z8Gdkz3o4/s1600/Screenshot+from+2013-06-16+23:53:29.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://3.bp.blogspot.com/-E7S7N-xz9Pk/Ub9YjfFZGdI/AAAAAAAALcw/4_Z8Gdkz3o4/s640/Screenshot+from+2013-06-16+23:53:29.png" width="640" /></a></div>
<br />
Create the first user and name the computer.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-eJPmvrc4K6U/Ub9YjrN-jZI/AAAAAAAALcs/na6PYg_s7Ts/s1600/Screenshot+from+2013-06-17+16:12:17.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://4.bp.blogspot.com/-eJPmvrc4K6U/Ub9YjrN-jZI/AAAAAAAALcs/na6PYg_s7Ts/s640/Screenshot+from+2013-06-17+16:12:17.png" width="640" /></a></div>
<br />
IMPORTANT: Create a password for the new account.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-QeXw9cDBfyo/Ub9YkxkpbWI/AAAAAAAALdA/lk0U3yaV6OA/s1600/Screenshot+from+2013-06-17+16:12:45.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://4.bp.blogspot.com/-QeXw9cDBfyo/Ub9YkxkpbWI/AAAAAAAALdA/lk0U3yaV6OA/s640/Screenshot+from+2013-06-17+16:12:45.png" width="640" /></a></div>
<br />
Turn off automated updates. It is important that the guest doesn't perform any configuration changes that might show up in the activity logs when the analysis runs.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-QgpjiOJjaMs/Ub9Yk4cQj2I/AAAAAAAALdE/-wkdGgtTmNA/s1600/Screenshot+from+2013-06-17+16:13:07.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://2.bp.blogspot.com/-QgpjiOJjaMs/Ub9Yk4cQj2I/AAAAAAAALdE/-wkdGgtTmNA/s640/Screenshot+from+2013-06-17+16:13:07.png" width="640" /></a></div>
<br />
Configure time and date.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-_nO7bg6YR5w/Ub9YlMoPFhI/AAAAAAAALdM/IkgYA_eHajU/s1600/Screenshot+from+2013-06-17+16:13:20.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://2.bp.blogspot.com/-_nO7bg6YR5w/Ub9YlMoPFhI/AAAAAAAALdM/IkgYA_eHajU/s640/Screenshot+from+2013-06-17+16:13:20.png" width="640" /></a></div>
<br />
Windows installer is performing the last few changes.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-uX9X8vB0fFQ/Ub9YmAGt5aI/AAAAAAAALdg/cxFoRCsXo84/s1600/Screenshot+from+2013-06-17+16:14:36.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://3.bp.blogspot.com/-uX9X8vB0fFQ/Ub9YmAGt5aI/AAAAAAAALdg/cxFoRCsXo84/s640/Screenshot+from+2013-06-17+16:14:36.png" width="640" /></a></div>
<br />
Tada! Windows 7 is installed.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-1WPsS6nKPUY/Ub9Ym0WMrzI/AAAAAAAALdk/XfJxOmEAlic/s1600/Screenshot+from+2013-06-17+16:14:55.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://3.bp.blogspot.com/-1WPsS6nKPUY/Ub9Ym0WMrzI/AAAAAAAALdk/XfJxOmEAlic/s640/Screenshot+from+2013-06-17+16:14:55.png" width="640" /></a></div>
<br />
<h2>
Turning off UAC (User Account Control)</h2>
<div>
<div>
To user Control Panel to disable UAC in Windows 7, there are several methods to access the User Account Control settings page:</div>
<div>
<br /></div>
<div>
Go to Start Menu -> Control Panel -> User Accounts and Family Safety -> User Account.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-G57AB3bn-Po/Ub93-CvOsbI/AAAAAAAALnA/h2NP2QELvf8/s1600/Screenshot+from+2013-06-17+22:55:57.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://3.bp.blogspot.com/-G57AB3bn-Po/Ub93-CvOsbI/AAAAAAAALnA/h2NP2QELvf8/s640/Screenshot+from+2013-06-17+22:55:57.png" width="640" /></a></div>
<div>
<br /></div>
<div>
Slide the slider bar to the lowest value (towards Never Notify), with description showing Never notify me.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-YhPkG3hQHdo/Ub94L9OunUI/AAAAAAAALnQ/cHBaeV0LMzQ/s1600/Screenshot+from+2013-06-17+22:55:43.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://2.bp.blogspot.com/-YhPkG3hQHdo/Ub94L9OunUI/AAAAAAAALnQ/cHBaeV0LMzQ/s640/Screenshot+from+2013-06-17+22:55:43.png" width="640" /></a></div>
<div>
<br /></div>
<div>
Click OK to make the change effective.</div>
<div>
<br /></div>
<div>
Restart the computer to turn off User Access Control.</div>
</div>
<h2>
Installing FOG guest utils</h2>
Go to your FOG server to download the FOG client utilities from http://fogserver/fog/client/. If you are like me using Windows 7 as the guest OS then you need to download FOG Prep as well.<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-Tw8PBtJm-_I/Ub9YnceFv1I/AAAAAAAALd0/KqvlUs8a21A/s1600/Screenshot+from+2013-06-17+19:16:35.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://3.bp.blogspot.com/-Tw8PBtJm-_I/Ub9YnceFv1I/AAAAAAAALd0/KqvlUs8a21A/s640/Screenshot+from+2013-06-17+19:16:35.png" width="640" /></a></div>
<br />
Download "FOG Client Service" (FogService.zip).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-h5K2RMpQamQ/Ub9YoKAgP_I/AAAAAAAALeE/JNoCFCdA8NM/s1600/Screenshot+from+2013-06-17+19:17:04.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://2.bp.blogspot.com/-h5K2RMpQamQ/Ub9YoKAgP_I/AAAAAAAALeE/JNoCFCdA8NM/s640/Screenshot+from+2013-06-17+19:17:04.png" width="640" /></a></div>
<br />
Once downloaded extract the archive.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-_sV2JQf3T1U/Ub9YoZUqw_I/AAAAAAAALeI/EaKso4XW4aA/s1600/Screenshot+from+2013-06-17+19:17:12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://4.bp.blogspot.com/-_sV2JQf3T1U/Ub9YoZUqw_I/AAAAAAAALeI/EaKso4XW4aA/s640/Screenshot+from+2013-06-17+19:17:12.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-qhg1YUW0kLA/Ub9Yo4EJVoI/AAAAAAAALeQ/A9a87o83KAM/s1600/Screenshot+from+2013-06-17+19:17:32.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://4.bp.blogspot.com/-qhg1YUW0kLA/Ub9Yo4EJVoI/AAAAAAAALeQ/A9a87o83KAM/s640/Screenshot+from+2013-06-17+19:17:32.png" width="640" /></a></div>
<br />
Once extracted run the "setup" program and follow the on-screen instructions.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-yMGw2ZayObY/Ub9YpSEPQwI/AAAAAAAALec/QP8LQ94b6so/s1600/Screenshot+from+2013-06-17+19:17:51.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://2.bp.blogspot.com/-yMGw2ZayObY/Ub9YpSEPQwI/AAAAAAAALec/QP8LQ94b6so/s640/Screenshot+from+2013-06-17+19:17:51.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-554Im0BHAVk/Ub9YpYW9zAI/AAAAAAAALek/dYgHUQFMoPQ/s1600/Screenshot+from+2013-06-17+19:17:58.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://1.bp.blogspot.com/-554Im0BHAVk/Ub9YpYW9zAI/AAAAAAAALek/dYgHUQFMoPQ/s640/Screenshot+from+2013-06-17+19:17:58.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-a0gt2uxelq0/Ub9Yp9ad44I/AAAAAAAALeo/PgEXkSzjL2Y/s1600/Screenshot+from+2013-06-17+19:18:05.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://3.bp.blogspot.com/-a0gt2uxelq0/Ub9Yp9ad44I/AAAAAAAALeo/PgEXkSzjL2Y/s640/Screenshot+from+2013-06-17+19:18:05.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-U5plaA87RtQ/Ub9YqaabLVI/AAAAAAAALew/_VZT0MKAsAM/s1600/Screenshot+from+2013-06-17+19:18:11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://2.bp.blogspot.com/-U5plaA87RtQ/Ub9YqaabLVI/AAAAAAAALew/_VZT0MKAsAM/s640/Screenshot+from+2013-06-17+19:18:11.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/--Mj_0FDKTGk/Ub9YqxDPHJI/AAAAAAAALe8/KDu8loCeTQU/s1600/Screenshot+from+2013-06-17+19:18:17.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://3.bp.blogspot.com/--Mj_0FDKTGk/Ub9YqxDPHJI/AAAAAAAALe8/KDu8loCeTQU/s640/Screenshot+from+2013-06-17+19:18:17.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-U16jWRJxS3k/Ub9Yq2PXFFI/AAAAAAAALfE/QtHnlit474s/s1600/Screenshot+from+2013-06-17+19:18:23.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://3.bp.blogspot.com/-U16jWRJxS3k/Ub9Yq2PXFFI/AAAAAAAALfE/QtHnlit474s/s640/Screenshot+from+2013-06-17+19:18:23.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-AktoXj64KBc/Ub9Yr-2BafI/AAAAAAAALfk/3r2X5RZrgXo/s1600/Screenshot+from+2013-06-17+19:18:49.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://1.bp.blogspot.com/-AktoXj64KBc/Ub9Yr-2BafI/AAAAAAAALfk/3r2X5RZrgXo/s640/Screenshot+from+2013-06-17+19:18:49.png" width="640" /></a></div>
<br />
I remove the AutoLogOut module, as I want to have my user logged in all the time.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-y0YROB5-wjI/Ub9YsG4B5aI/AAAAAAAALfc/fnFyAFrvVCY/s1600/Screenshot+from+2013-06-17+19:19:24.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://2.bp.blogspot.com/-y0YROB5-wjI/Ub9YsG4B5aI/AAAAAAAALfc/fnFyAFrvVCY/s640/Screenshot+from+2013-06-17+19:19:24.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-RjyVx_4JQOk/Ub9YsYjfEMI/AAAAAAAALfg/BSUajBPPhXo/s1600/Screenshot+from+2013-06-17+19:19:32.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://2.bp.blogspot.com/-RjyVx_4JQOk/Ub9YsYjfEMI/AAAAAAAALfg/BSUajBPPhXo/s640/Screenshot+from+2013-06-17+19:19:32.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-d5R0CGuKN9k/Ub9YtpwqbEI/AAAAAAAALf8/C2neLZuoY_Y/s1600/Screenshot+from+2013-06-17+19:19:41.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://1.bp.blogspot.com/-d5R0CGuKN9k/Ub9YtpwqbEI/AAAAAAAALf8/C2neLZuoY_Y/s640/Screenshot+from+2013-06-17+19:19:41.png" width="640" /></a></div>
<br />
As I mentioned earlier, Windows 7 requires the "FOG Prep" utility as well. Download the "FogPrep.zip" archive and extract it.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-T50TFjpLuyA/Ub9YttNzkTI/AAAAAAAALfs/Lzn6LomBMlE/s1600/Screenshot+from+2013-06-17+19:19:52.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://3.bp.blogspot.com/-T50TFjpLuyA/Ub9YttNzkTI/AAAAAAAALfs/Lzn6LomBMlE/s640/Screenshot+from+2013-06-17+19:19:52.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-29RUqzuFa0Y/Ub9YtjHTbhI/AAAAAAAALf0/aj0HpOkSBng/s1600/Screenshot+from+2013-06-17+19:19:59.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://1.bp.blogspot.com/-29RUqzuFa0Y/Ub9YtjHTbhI/AAAAAAAALf0/aj0HpOkSBng/s640/Screenshot+from+2013-06-17+19:19:59.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-dbo34X-KFyw/Ub9YuW2MjhI/AAAAAAAALgI/Fs2UXFTW9kY/s1600/Screenshot+from+2013-06-17+19:20:07.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://4.bp.blogspot.com/-dbo34X-KFyw/Ub9YuW2MjhI/AAAAAAAALgI/Fs2UXFTW9kY/s640/Screenshot+from+2013-06-17+19:20:07.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/--WQKaLs1hE4/Ub9YumCs7ZI/AAAAAAAALgM/MrV9PBRkFu4/s1600/Screenshot+from+2013-06-17+19:20:18.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://1.bp.blogspot.com/--WQKaLs1hE4/Ub9YumCs7ZI/AAAAAAAALgM/MrV9PBRkFu4/s640/Screenshot+from+2013-06-17+19:20:18.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-kyPgu-aAVNA/Ub9Yu_uS_qI/AAAAAAAALgU/7CFQalM2QRs/s1600/Screenshot+from+2013-06-17+19:20:34.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://4.bp.blogspot.com/-kyPgu-aAVNA/Ub9Yu_uS_qI/AAAAAAAALgU/7CFQalM2QRs/s640/Screenshot+from+2013-06-17+19:20:34.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-wdm8qvlMwrU/Ub9Yvlb4lFI/AAAAAAAALgc/4jxrp3a0lqo/s1600/Screenshot+from+2013-06-17+19:20:43.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://4.bp.blogspot.com/-wdm8qvlMwrU/Ub9Yvlb4lFI/AAAAAAAALgc/4jxrp3a0lqo/s640/Screenshot+from+2013-06-17+19:20:43.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-jNgLqX9mIKE/Ub9YviWqdXI/AAAAAAAALgg/eSzBab4SWr4/s1600/Screenshot+from+2013-06-17+19:20:50.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://1.bp.blogspot.com/-jNgLqX9mIKE/Ub9YviWqdXI/AAAAAAAALgg/eSzBab4SWr4/s640/Screenshot+from+2013-06-17+19:20:50.png" width="640" /></a></div>
<br />
I copied the FogPrep executable over to the FOG service directory (C:\Program Files\FOG) to keep all the FOG related components in the same place.<br />
<br />
This concludes the FOG portion of the guest installation.<br />
<h2>
Installing Cuckoo Sandbox Agent</h2>
For the Cuckoo Sandbox agent the steps are the same as in a virtual machine: Install Python and optionally PIL (Python Image Library) if you wish to grab screenshots (highly recommended).<br />
<h3>
Installing Python and PIL (Python Image Library) </h3>
Go to <a href="http://www.python.org/">http://www.python.org/</a> and download Python 2.7.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-fi-XnAyNdKw/Ub9YwHwzNGI/AAAAAAAALgs/Az1WRjktUfU/s1600/Screenshot+from+2013-06-17+19:21:38.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://3.bp.blogspot.com/-fi-XnAyNdKw/Ub9YwHwzNGI/AAAAAAAALgs/Az1WRjktUfU/s640/Screenshot+from+2013-06-17+19:21:38.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-ZXmG2tIWJIQ/Ub9YyeXjLkI/AAAAAAAALhc/4HZ67Xteqv8/s1600/Screenshot+from+2013-06-17+19:25:18.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://4.bp.blogspot.com/-ZXmG2tIWJIQ/Ub9YyeXjLkI/AAAAAAAALhc/4HZ67Xteqv8/s640/Screenshot+from+2013-06-17+19:25:18.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-KjHCLn59m4k/Ub9Yy48MgqI/AAAAAAAALhk/pMcqrTDCOAc/s1600/Screenshot+from+2013-06-17+19:25:25.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://2.bp.blogspot.com/-KjHCLn59m4k/Ub9Yy48MgqI/AAAAAAAALhk/pMcqrTDCOAc/s640/Screenshot+from+2013-06-17+19:25:25.png" width="640" /></a></div>
<br />
Once downloaded run the installation program.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-Ih40msh9xhI/Ub9YzAKQPMI/AAAAAAAALhs/-8Kmjdcgt1w/s1600/Screenshot+from+2013-06-17+19:25:47.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://2.bp.blogspot.com/-Ih40msh9xhI/Ub9YzAKQPMI/AAAAAAAALhs/-8Kmjdcgt1w/s640/Screenshot+from+2013-06-17+19:25:47.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-24niHWc2Y-E/Ub9YzgBO9GI/AAAAAAAALh0/rZpZ8UDTIqs/s1600/Screenshot+from+2013-06-17+19:26:20.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://3.bp.blogspot.com/-24niHWc2Y-E/Ub9YzgBO9GI/AAAAAAAALh0/rZpZ8UDTIqs/s640/Screenshot+from+2013-06-17+19:26:20.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-auUVMtrAqGU/Ub9Y0KS6x6I/AAAAAAAALh4/6HJxtxzMsyw/s1600/Screenshot+from+2013-06-17+19:26:25.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://2.bp.blogspot.com/-auUVMtrAqGU/Ub9Y0KS6x6I/AAAAAAAALh4/6HJxtxzMsyw/s640/Screenshot+from+2013-06-17+19:26:25.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-duIX0Hs5uYg/Ub9Y0QZv9aI/AAAAAAAALiE/R1dvyg6rJuY/s1600/Screenshot+from+2013-06-17+19:26:32.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://1.bp.blogspot.com/-duIX0Hs5uYg/Ub9Y0QZv9aI/AAAAAAAALiE/R1dvyg6rJuY/s640/Screenshot+from+2013-06-17+19:26:32.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-wRvsRAc---w/Ub9Y06knK-I/AAAAAAAALiU/PSxrFzueOnM/s1600/Screenshot+from+2013-06-17+19:26:55.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://1.bp.blogspot.com/-wRvsRAc---w/Ub9Y06knK-I/AAAAAAAALiU/PSxrFzueOnM/s640/Screenshot+from+2013-06-17+19:26:55.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-kSRwm0feW3o/Ub9Y1QOmxhI/AAAAAAAALig/oZ5FAZOqjps/s1600/Screenshot+from+2013-06-17+19:27:51.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://1.bp.blogspot.com/-kSRwm0feW3o/Ub9Y1QOmxhI/AAAAAAAALig/oZ5FAZOqjps/s640/Screenshot+from+2013-06-17+19:27:51.png" width="640" /></a></div>
<br />
Go to <a href="http://www.pythonware.com/products/pil/">http://www.pythonware.com/products/pil/</a> and download PIL for Python 2.7.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-7P89RPkDLxY/Ub9Y1l71kGI/AAAAAAAALik/72ysw2Kl9s0/s1600/Screenshot+from+2013-06-17+19:28:21.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://3.bp.blogspot.com/-7P89RPkDLxY/Ub9Y1l71kGI/AAAAAAAALik/72ysw2Kl9s0/s640/Screenshot+from+2013-06-17+19:28:21.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-uXZpNERyI20/Ub9Y1wsSm_I/AAAAAAAALio/i9VnXsz5NYs/s1600/Screenshot+from+2013-06-17+19:28:38.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://1.bp.blogspot.com/-uXZpNERyI20/Ub9Y1wsSm_I/AAAAAAAALio/i9VnXsz5NYs/s640/Screenshot+from+2013-06-17+19:28:38.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-YiI-nqgF1hU/Ub9Y2h45H3I/AAAAAAAALi0/azLoJZRzM1Y/s1600/Screenshot+from+2013-06-17+19:28:45.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://1.bp.blogspot.com/-YiI-nqgF1hU/Ub9Y2h45H3I/AAAAAAAALi0/azLoJZRzM1Y/s640/Screenshot+from+2013-06-17+19:28:45.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-jcxWJ75QGTQ/Ub9Y3BBgplI/AAAAAAAALjE/BWH1sNRd_d4/s1600/Screenshot+from+2013-06-17+19:28:51.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://3.bp.blogspot.com/-jcxWJ75QGTQ/Ub9Y3BBgplI/AAAAAAAALjE/BWH1sNRd_d4/s640/Screenshot+from+2013-06-17+19:28:51.png" width="640" /></a></div>
<br />
Start the installation once the download is completed.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-4OJBOmPnTpM/Ub9Y21ydA2I/AAAAAAAALjA/J_ICzx0cqkg/s1600/Screenshot+from+2013-06-17+19:28:59.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://4.bp.blogspot.com/-4OJBOmPnTpM/Ub9Y21ydA2I/AAAAAAAALjA/J_ICzx0cqkg/s640/Screenshot+from+2013-06-17+19:28:59.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-2BiF7W1TTPU/Ub9Y30KMjuI/AAAAAAAALjU/804oHOggEbI/s1600/Screenshot+from+2013-06-17+19:29:14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://4.bp.blogspot.com/-2BiF7W1TTPU/Ub9Y30KMjuI/AAAAAAAALjU/804oHOggEbI/s640/Screenshot+from+2013-06-17+19:29:14.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-A5VZMN2JIL4/Ub9Y4OQLtPI/AAAAAAAALjY/2AB8tqPs7cM/s1600/Screenshot+from+2013-06-17+19:29:19.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://2.bp.blogspot.com/-A5VZMN2JIL4/Ub9Y4OQLtPI/AAAAAAAALjY/2AB8tqPs7cM/s640/Screenshot+from+2013-06-17+19:29:19.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
You have now Python and the additional PIL component installed.<br />
<h3>
Installing the Cuckoo Sandbox Agent</h3>
Now when you have Python and PIL installed it is time to install the Cuckoo agent, although "installing" might be a too big word. You need to download "agent.py" from the Cuckoo's "agent" directory on your management machine. This can be done in several ways, using everything from USB flash drives to shared network drives.<br />
<br />
I place a shortcut from the agent.py into the "Startup" folder so the agent starts automatically at login.<br />
<h3>
Make the Cuckoo user logon automatically</h3>
To make the user login automatically click on Start and then enter the following command in the search box:<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">netplwiz</span><br />
<br />
and press the ENTER key. You can also run this command from a command prompt as well.<br />
<br />
This command will load the Advanced User Accounts Control Panel applet.<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-_yZhqOdi-ZY/Ub9zH1o_hpI/AAAAAAAALlw/MzQ4LoORfYo/s1600/Screenshot+from+2013-06-17+22:31:44.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://3.bp.blogspot.com/-_yZhqOdi-ZY/Ub9zH1o_hpI/AAAAAAAALlw/MzQ4LoORfYo/s640/Screenshot+from+2013-06-17+22:31:44.png" width="640" /></a></div>
<br />
In the Users tab, uncheck the box next to Users must enter a user name and password to use this computer. Click on the Apply button at the bottom of the User Accounts window.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-wTfSWAdeixA/Ub9zJEU7dBI/AAAAAAAALl4/YoPM0fy9MCA/s1600/Screenshot+from+2013-06-17+22:31:51.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://1.bp.blogspot.com/-wTfSWAdeixA/Ub9zJEU7dBI/AAAAAAAALl4/YoPM0fy9MCA/s640/Screenshot+from+2013-06-17+22:31:51.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<a href="http://2.bp.blogspot.com/-FwW97ZYYR2c/Ub9zJq6pRTI/AAAAAAAALmI/pI342ZYsrGM/s1600/Screenshot+from+2013-06-17+22:32:08.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="518" src="http://2.bp.blogspot.com/-FwW97ZYYR2c/Ub9zJq6pRTI/AAAAAAAALmI/pI342ZYsrGM/s640/Screenshot+from+2013-06-17+22:32:08.png" width="640" /></a><br />
<br />
When the Automatically Log On dialog box appears, enter the user name you wish to automatically login to Windows 7 with. Then enter your account password in the two fields where it's asked.<br />
<br />
Exit the Advanced User Accounts Control Panel applet by clicking "OK" to all the open windows.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-ws-r4UvVSJ0/Ub9zKOq8CuI/AAAAAAAALmQ/VKRIKPpes4M/s1600/Screenshot+from+2013-06-17+22:32:17.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://1.bp.blogspot.com/-ws-r4UvVSJ0/Ub9zKOq8CuI/AAAAAAAALmQ/VKRIKPpes4M/s640/Screenshot+from+2013-06-17+22:32:17.png" width="640" /></a></div>
<br />
Now the user account will login automatically and run the Cuckoo agent at boot up.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-5plODJm1ZtY/Ub9Y5PCPKtI/AAAAAAAALjs/chZL0djw76g/s1600/Screenshot+from+2013-06-17+19:35:37.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="518" src="http://1.bp.blogspot.com/-5plODJm1ZtY/Ub9Y5PCPKtI/AAAAAAAALjs/chZL0djw76g/s640/Screenshot+from+2013-06-17+19:35:37.png" width="640" /></a></div>
<br />
This concludes the OS and guest utilities installation for Cuckoo Sandbox on hardware nodes. Stay tuned for the next installment of this article series. Please provide feedback in the comments.<br />
<br /><img src="http://feeds.feedburner.com/~r/michaelboman/LfHQ/~4/AJH4CVDFqAM" height="1" width="1"/>Michael Bomanhttps://plus.google.com/104022164521410375587noreply@blogger.com0http://blog.michaelboman.org/2013/06/cuckoo-sandbox-on-hardware-installing_17.htmltag:blogger.com,1999:blog-3343693239455968046.post-21911999716240450582013-06-17T12:45:00.001+02:002013-06-17T12:45:06.448+02:002013-06-17T12:45:06.448+02:00Weekly malware statistics between 2013-06-09 and 2013-06-16This is a report of malware detected by VirusTotal at the time of sample analysis.<br />The underlying method of analysis is scientifically pretty flawed for several reasons, so the information provided should not be used for anything important (like selecting a AV-vendor).<br /><br />Here is a short list of known problems with the statistics:<br /><ul><li>The underlying assumptions for what is malware is not scientifically accurate. If a AV-vendor mistakenly flag a sample as malicious then all other vendors is accused of failing to detect the sample. For better accuracy the number of vendors that thinks a sample is malicious should be increased, but to what?</li><li>I have a limited sample gathering and analysis capability and I am not even sure I get a decent amount of fresh malware, thus the sample collection is not scientifically accurate.</li><li>VirusTotal (the service I use to perform the analysis) does not run the sample but only scans the dormant file which means that anti-malware products that detects the execution of the sample is unfairly treated as not detecting the sample, even if it would have done so in a real-life scenario.</li><li>The post is automatically generated and has not been viewed before posting, so no underlying analysis of the result has been performed.</li></ul><br />A total of 5936 samples was analyzed between 2013-06-09 and 2013-06-16.<br />33 samples was not deemed malicious by VirusTotal at the time of analysis.<br />1367 samples was not scanned by VirusTotal before at the time of analysis.<br /><br /><h2>File Analysis</h2>A total of 5936 file samples was analyzed between 2013-06-09 and 2013-06-16.<br />33 file samples was not deemed malicious by VirusTotal at the time of analysis.<br />1367 file samples was not scanned by VirusTotal before at the time of analysis.<br /><br /><table><tr><th><div style="text-align: left;">Engine</div></th><th>Detected samples</th><th>Detection ratio</th></tr><tr><td>Ikarus</td><td><div style="text-align: right;">3829</div></td><td><div style="text-align: right;">84%</div></td></tr><tr><td>AntiVir</td><td><div style="text-align: right;">3814</div></td><td><div style="text-align: right;">84%</div></td></tr><tr><td>GData</td><td><div style="text-align: right;">3804</div></td><td><div style="text-align: right;">83%</div></td></tr><tr><td>Emsisoft</td><td><div style="text-align: right;">3787</div></td><td><div style="text-align: right;">83%</div></td></tr><tr><td>Avast</td><td><div style="text-align: right;">3701</div></td><td><div style="text-align: right;">81%</div></td></tr><tr><td>McAfee-GW-Edition</td><td><div style="text-align: right;">3626</div></td><td><div style="text-align: right;">79%</div></td></tr><tr><td>VIPRE</td><td><div style="text-align: right;">3611</div></td><td><div style="text-align: right;">79%</div></td></tr><tr><td>F-Secure</td><td><div style="text-align: right;">3590</div></td><td><div style="text-align: right;">79%</div></td></tr><tr><td>BitDefender</td><td><div style="text-align: right;">3584</div></td><td><div style="text-align: right;">79%</div></td></tr><tr><td>Comodo</td><td><div style="text-align: right;">3567</div></td><td><div style="text-align: right;">78%</div></td></tr><tr><td>McAfee</td><td><div style="text-align: right;">3496</div></td><td><div style="text-align: right;">77%</div></td></tr><tr><td>Kaspersky</td><td><div style="text-align: right;">3471</div></td><td><div style="text-align: right;">76%</div></td></tr><tr><td>AVG</td><td><div style="text-align: right;">3414</div></td><td><div style="text-align: right;">75%</div></td></tr><tr><td>K7AntiVirus</td><td><div style="text-align: right;">3363</div></td><td><div style="text-align: right;">74%</div></td></tr><tr><td>DrWeb</td><td><div style="text-align: right;">3330</div></td><td><div style="text-align: right;">73%</div></td></tr><tr><td>Fortinet</td><td><div style="text-align: right;">3293</div></td><td><div style="text-align: right;">72%</div></td></tr><tr><td>TrendMicro-HouseCall</td><td><div style="text-align: right;">3236</div></td><td><div style="text-align: right;">71%</div></td></tr><tr><td>Norman</td><td><div style="text-align: right;">3223</div></td><td><div style="text-align: right;">71%</div></td></tr><tr><td>Microsoft</td><td><div style="text-align: right;">3207</div></td><td><div style="text-align: right;">70%</div></td></tr><tr><td>Symantec</td><td><div style="text-align: right;">3102</div></td><td><div style="text-align: right;">68%</div></td></tr><tr><td>Sophos</td><td><div style="text-align: right;">3016</div></td><td><div style="text-align: right;">66%</div></td></tr><tr><td>TrendMicro</td><td><div style="text-align: right;">2896</div></td><td><div style="text-align: right;">63%</div></td></tr><tr><td>nProtect</td><td><div style="text-align: right;">2861</div></td><td><div style="text-align: right;">63%</div></td></tr><tr><td>F-Prot</td><td><div style="text-align: right;">2776</div></td><td><div style="text-align: right;">61%</div></td></tr><tr><td>Commtouch</td><td><div style="text-align: right;">2759</div></td><td><div style="text-align: right;">60%</div></td></tr><tr><td>Jiangmin</td><td><div style="text-align: right;">2720</div></td><td><div style="text-align: right;">59%</div></td></tr><tr><td>PCTools</td><td><div style="text-align: right;">2586</div></td><td><div style="text-align: right;">57%</div></td></tr><tr><td>VBA32</td><td><div style="text-align: right;">2530</div></td><td><div style="text-align: right;">55%</div></td></tr><tr><td>Panda</td><td><div style="text-align: right;">2500</div></td><td><div style="text-align: right;">55%</div></td></tr><tr><td>AhnLab-V3</td><td><div style="text-align: right;">2465</div></td><td><div style="text-align: right;">54%</div></td></tr><tr><td>VirusBuster</td><td><div style="text-align: right;">2412</div></td><td><div style="text-align: right;">53%</div></td></tr><tr><td>NOD32</td><td><div style="text-align: right;">2266</div></td><td><div style="text-align: right;">49%</div></td></tr><tr><td>TheHacker</td><td><div style="text-align: right;">2223</div></td><td><div style="text-align: right;">49%</div></td></tr><tr><td>CAT-QuickHeal</td><td><div style="text-align: right;">1924</div></td><td><div style="text-align: right;">42%</div></td></tr><tr><td>Rising</td><td><div style="text-align: right;">1843</div></td><td><div style="text-align: right;">40%</div></td></tr><tr><td>ClamAV</td><td><div style="text-align: right;">1841</div></td><td><div style="text-align: right;">40%</div></td></tr><tr><td>eSafe</td><td><div style="text-align: right;">1742</div></td><td><div style="text-align: right;">38%</div></td></tr><tr><td>ESET-NOD32</td><td><div style="text-align: right;">1238</div></td><td><div style="text-align: right;">27%</div></td></tr><tr><td>SUPERAntiSpyware</td><td><div style="text-align: right;">1224</div></td><td><div style="text-align: right;">26%</div></td></tr><tr><td>Antiy-AVL</td><td><div style="text-align: right;">1210</div></td><td><div style="text-align: right;">26%</div></td></tr><tr><td>eTrust-Vet</td><td><div style="text-align: right;">1202</div></td><td><div style="text-align: right;">26%</div></td></tr><tr><td>TotalDefense</td><td><div style="text-align: right;">1100</div></td><td><div style="text-align: right;">24%</div></td></tr><tr><td>ViRobot</td><td><div style="text-align: right;">902</div></td><td><div style="text-align: right;">19%</div></td></tr><tr><td>Agnitum</td><td><div style="text-align: right;">568</div></td><td><div style="text-align: right;">12%</div></td></tr><tr><td>MicroWorld-eScan</td><td><div style="text-align: right;">505</div></td><td><div style="text-align: right;">11%</div></td></tr><tr><td>Kingsoft</td><td><div style="text-align: right;">436</div></td><td><div style="text-align: right;">9%</div></td></tr><tr><td>NANO-Antivirus</td><td><div style="text-align: right;">362</div></td><td><div style="text-align: right;">7%</div></td></tr><tr><td>Malwarebytes</td><td><div style="text-align: right;">255</div></td><td><div style="text-align: right;">5%</div></td></tr><tr><td>ByteHero</td><td><div style="text-align: right;">246</div></td><td><div style="text-align: right;">5%</div></td></tr><tr><td>K7GW</td><td><div style="text-align: right;">104</div></td><td><div style="text-align: right;">2%</div></td></tr><tr><td>Avast5</td><td><div style="text-align: right;">21</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>eScan</td><td><div style="text-align: right;">19</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Prevx</td><td><div style="text-align: right;">7</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Command</td><td><div style="text-align: right;">1</div></td><td><div style="text-align: right;">0%</div></td></tr></table><br /><h2>URL Analysis</h2>A total of 0 URL samples was analyzed between 2013-06-09 and 2013-06-16.<br />0 URL samples was not deemed malicious by VirusTotal at the time of analysis.<br />0 URL samples was not scanned by VirusTotal before at the time of analysis.<br /><br />No URLs has been analysed during the selected period.<br />- Mallory Rasputin, overworked and underpaid malware research intern.<br />You can reach me at <a href='mailto:research@michaelboman.org'>research@michaelboman.org</a>.<br /><img src="http://feeds.feedburner.com/~r/michaelboman/LfHQ/~4/r-Bz_VCyJFY" height="1" width="1"/>Mallory Rasputinhttps://plus.google.com/106039590168685040719noreply@blogger.com0http://blog.michaelboman.org/2013/06/weekly-malware-statistics-between-2013_17.htmltag:blogger.com,1999:blog-3343693239455968046.post-48996193581423371432013-06-10T18:05:00.001+02:002013-06-10T18:05:53.967+02:002013-06-10T18:05:53.967+02:00Weekly malware statistics between 2013-06-02 and 2013-06-09This is a report of malware detected by VirusTotal at the time of sample analysis.<br />The underlying method of analysis is scientifically pretty flawed for several reasons, so the information provided should not be used for anything important (like selecting a AV-vendor).<br />Here is a short list of known problems with the statistics:<br /><ul><li>The underlying assumptions for what is malware is not scientifically accurate. If a AV-vendor mistakenly flag a sample as malicious then all other vendors is accused of failing to detect the sample. For better accuracy the number of vendors that thinks a sample is malicious should be increased, but to what?</li><li>I have a limited sample gathering and analysis capability and I am not even sure I get a decent amount of fresh malware, thus the sample collection is not scientifically accurate.</li><li>VirusTotal (the service I use to perform the analysis) does not run the sample but only scans the dormant file which means that anti-malware products that detects the execution of the sample is unfairly treated as not detecting the sample, even if it would have done so in a real-life scenario.</li><li>The post is automatically generated and has not been viewed before posting, so no underlying analysis of the result has been performed.</li></ul><br />A total of 11774 samples was analyzed between 2013-06-02 and 2013-06-09.<br />387 samples was not deemed malicious by VirusTotal at the time of analysis.<br />2463 samples was not scanned by VirusTotal before at the time of analysis.<br /><br /><h2>File Analysis</h2><table><tr><th><div style="text-align: left;">Engine</div></th><th>Detected samples</th><th>Detection ratio</th></tr><tr><td>Ikarus</td><td><div style="text-align: right;">1741</div></td><td><div style="text-align: right;">86%</div></td></tr><tr><td>GData</td><td><div style="text-align: right;">1719</div></td><td><div style="text-align: right;">85%</div></td></tr><tr><td>Emsisoft</td><td><div style="text-align: right;">1719</div></td><td><div style="text-align: right;">85%</div></td></tr><tr><td>Avast</td><td><div style="text-align: right;">1685</div></td><td><div style="text-align: right;">83%</div></td></tr><tr><td>AntiVir</td><td><div style="text-align: right;">1682</div></td><td><div style="text-align: right;">83%</div></td></tr><tr><td>Comodo</td><td><div style="text-align: right;">1642</div></td><td><div style="text-align: right;">81%</div></td></tr><tr><td>BitDefender</td><td><div style="text-align: right;">1641</div></td><td><div style="text-align: right;">81%</div></td></tr><tr><td>F-Secure</td><td><div style="text-align: right;">1630</div></td><td><div style="text-align: right;">81%</div></td></tr><tr><td>McAfee-GW-Edition</td><td><div style="text-align: right;">1622</div></td><td><div style="text-align: right;">80%</div></td></tr><tr><td>Kaspersky</td><td><div style="text-align: right;">1598</div></td><td><div style="text-align: right;">79%</div></td></tr><tr><td>McAfee</td><td><div style="text-align: right;">1572</div></td><td><div style="text-align: right;">78%</div></td></tr><tr><td>AVG</td><td><div style="text-align: right;">1549</div></td><td><div style="text-align: right;">76%</div></td></tr><tr><td>VIPRE</td><td><div style="text-align: right;">1546</div></td><td><div style="text-align: right;">76%</div></td></tr><tr><td>TrendMicro-HouseCall</td><td><div style="text-align: right;">1521</div></td><td><div style="text-align: right;">75%</div></td></tr><tr><td>K7AntiVirus</td><td><div style="text-align: right;">1511</div></td><td><div style="text-align: right;">75%</div></td></tr><tr><td>Fortinet</td><td><div style="text-align: right;">1504</div></td><td><div style="text-align: right;">74%</div></td></tr><tr><td>DrWeb</td><td><div style="text-align: right;">1479</div></td><td><div style="text-align: right;">73%</div></td></tr><tr><td>Microsoft</td><td><div style="text-align: right;">1462</div></td><td><div style="text-align: right;">72%</div></td></tr><tr><td>Symantec</td><td><div style="text-align: right;">1447</div></td><td><div style="text-align: right;">71%</div></td></tr><tr><td>Norman</td><td><div style="text-align: right;">1439</div></td><td><div style="text-align: right;">71%</div></td></tr><tr><td>Sophos</td><td><div style="text-align: right;">1420</div></td><td><div style="text-align: right;">70%</div></td></tr><tr><td>TrendMicro</td><td><div style="text-align: right;">1374</div></td><td><div style="text-align: right;">68%</div></td></tr><tr><td>F-Prot</td><td><div style="text-align: right;">1330</div></td><td><div style="text-align: right;">66%</div></td></tr><tr><td>nProtect</td><td><div style="text-align: right;">1326</div></td><td><div style="text-align: right;">65%</div></td></tr><tr><td>Commtouch</td><td><div style="text-align: right;">1317</div></td><td><div style="text-align: right;">65%</div></td></tr><tr><td>Jiangmin</td><td><div style="text-align: right;">1280</div></td><td><div style="text-align: right;">63%</div></td></tr><tr><td>PCTools</td><td><div style="text-align: right;">1238</div></td><td><div style="text-align: right;">61%</div></td></tr><tr><td>Panda</td><td><div style="text-align: right;">1200</div></td><td><div style="text-align: right;">59%</div></td></tr><tr><td>AhnLab-V3</td><td><div style="text-align: right;">1146</div></td><td><div style="text-align: right;">56%</div></td></tr><tr><td>VBA32</td><td><div style="text-align: right;">1101</div></td><td><div style="text-align: right;">54%</div></td></tr><tr><td>TheHacker</td><td><div style="text-align: right;">1026</div></td><td><div style="text-align: right;">50%</div></td></tr><tr><td>CAT-QuickHeal</td><td><div style="text-align: right;">922</div></td><td><div style="text-align: right;">45%</div></td></tr><tr><td>VirusBuster</td><td><div style="text-align: right;">889</div></td><td><div style="text-align: right;">44%</div></td></tr><tr><td>eSafe</td><td><div style="text-align: right;">862</div></td><td><div style="text-align: right;">42%</div></td></tr><tr><td>NOD32</td><td><div style="text-align: right;">850</div></td><td><div style="text-align: right;">42%</div></td></tr><tr><td>ClamAV</td><td><div style="text-align: right;">835</div></td><td><div style="text-align: right;">41%</div></td></tr><tr><td>Rising</td><td><div style="text-align: right;">828</div></td><td><div style="text-align: right;">41%</div></td></tr><tr><td>ESET-NOD32</td><td><div style="text-align: right;">684</div></td><td><div style="text-align: right;">33%</div></td></tr><tr><td>Antiy-AVL</td><td><div style="text-align: right;">625</div></td><td><div style="text-align: right;">31%</div></td></tr><tr><td>TotalDefense</td><td><div style="text-align: right;">611</div></td><td><div style="text-align: right;">30%</div></td></tr><tr><td>SUPERAntiSpyware</td><td><div style="text-align: right;">547</div></td><td><div style="text-align: right;">27%</div></td></tr><tr><td>Agnitum</td><td><div style="text-align: right;">489</div></td><td><div style="text-align: right;">24%</div></td></tr><tr><td>MicroWorld-eScan</td><td><div style="text-align: right;">458</div></td><td><div style="text-align: right;">22%</div></td></tr><tr><td>ViRobot</td><td><div style="text-align: right;">452</div></td><td><div style="text-align: right;">22%</div></td></tr><tr><td>eTrust-Vet</td><td><div style="text-align: right;">447</div></td><td><div style="text-align: right;">22%</div></td></tr><tr><td>NANO-Antivirus</td><td><div style="text-align: right;">445</div></td><td><div style="text-align: right;">22%</div></td></tr><tr><td>Kingsoft</td><td><div style="text-align: right;">350</div></td><td><div style="text-align: right;">17%</div></td></tr><tr><td>Malwarebytes</td><td><div style="text-align: right;">162</div></td><td><div style="text-align: right;">8%</div></td></tr><tr><td>ByteHero</td><td><div style="text-align: right;">100</div></td><td><div style="text-align: right;">4%</div></td></tr><tr><td>K7GW</td><td><div style="text-align: right;">75</div></td><td><div style="text-align: right;">3%</div></td></tr><tr><td>eScan</td><td><div style="text-align: right;">13</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Avast5</td><td><div style="text-align: right;">10</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Webwasher-Gateway</td><td><div style="text-align: right;">1</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Sunbelt</td><td><div style="text-align: right;">1</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>McAfeeBeta</td><td><div style="text-align: right;">1</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>McAfee+Artemis</td><td><div style="text-align: right;">1</div></td><td><div style="text-align: right;">0%</div></td></tr></table><br /><h2>URL Analysis</h2><table><tr><th><div style="text-align: left;">Engine</div></th><th>Detected samples</th><th>Detection ratio</th></tr><tr><td>CLEAN MX</td><td><div style="text-align: right;">5338</div></td><td><div style="text-align: right;">77%</div></td></tr><tr><td>BitDefender</td><td><div style="text-align: right;">5082</div></td><td><div style="text-align: right;">73%</div></td></tr><tr><td>Fortinet</td><td><div style="text-align: right;">4141</div></td><td><div style="text-align: right;">59%</div></td></tr><tr><td>Sophos</td><td><div style="text-align: right;">3690</div></td><td><div style="text-align: right;">53%</div></td></tr><tr><td>SCUMWARE_org</td><td><div style="text-align: right;">3058</div></td><td><div style="text-align: right;">44%</div></td></tr><tr><td>Google Safebrowsing</td><td><div style="text-align: right;">2719</div></td><td><div style="text-align: right;">39%</div></td></tr><tr><td>Websense ThreatSeeker</td><td><div style="text-align: right;">2527</div></td><td><div style="text-align: right;">36%</div></td></tr><tr><td>Yandex Safebrowsing</td><td><div style="text-align: right;">2479</div></td><td><div style="text-align: right;">35%</div></td></tr><tr><td>ADMINUSLabs</td><td><div style="text-align: right;">2207</div></td><td><div style="text-align: right;">31%</div></td></tr><tr><td>Antiy-AVL</td><td><div style="text-align: right;">2190</div></td><td><div style="text-align: right;">31%</div></td></tr><tr><td>Dr_Web</td><td><div style="text-align: right;">1419</div></td><td><div style="text-align: right;">20%</div></td></tr><tr><td>Avira</td><td><div style="text-align: right;">995</div></td><td><div style="text-align: right;">14%</div></td></tr><tr><td>ESET</td><td><div style="text-align: right;">940</div></td><td><div style="text-align: right;">13%</div></td></tr><tr><td>Kaspersky</td><td><div style="text-align: right;">691</div></td><td><div style="text-align: right;">9%</div></td></tr><tr><td>K7AntiVirus</td><td><div style="text-align: right;">590</div></td><td><div style="text-align: right;">8%</div></td></tr><tr><td>ParetoLogic</td><td><div style="text-align: right;">225</div></td><td><div style="text-align: right;">3%</div></td></tr><tr><td>Netcraft</td><td><div style="text-align: right;">213</div></td><td><div style="text-align: right;">3%</div></td></tr><tr><td>Comodo Site Inspector</td><td><div style="text-align: right;">201</div></td><td><div style="text-align: right;">2%</div></td></tr><tr><td>Opera</td><td><div style="text-align: right;">195</div></td><td><div style="text-align: right;">2%</div></td></tr><tr><td>G-Data</td><td><div style="text-align: right;">118</div></td><td><div style="text-align: right;">1%</div></td></tr><tr><td>AlienVault</td><td><div style="text-align: right;">82</div></td><td><div style="text-align: right;">1%</div></td></tr><tr><td>C-SIRT</td><td><div style="text-align: right;">67</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Malc0de Database</td><td><div style="text-align: right;">42</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>SecureBrain</td><td><div style="text-align: right;">28</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Phishtank</td><td><div style="text-align: right;">23</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Sucuri SiteCheck</td><td><div style="text-align: right;">17</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Minotaur</td><td><div style="text-align: right;">13</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>zvelo</td><td><div style="text-align: right;">8</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Quttera</td><td><div style="text-align: right;">4</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>MalwarePatrol</td><td><div style="text-align: right;">1</div></td><td><div style="text-align: right;">0%</div></td></tr></table><br />- Mallory Rasputin, overworked and underpaid malware research intern.<br />You can reach me at <a href='mailto:research@michaelboman.org'>research@michaelboman.org</a>.<br /><img src="http://feeds.feedburner.com/~r/michaelboman/LfHQ/~4/jp9k9pfCkRM" height="1" width="1"/>Mallory Rasputinhttps://plus.google.com/106039590168685040719noreply@blogger.com0http://blog.michaelboman.org/2013/06/weekly-malware-statistics-between-2013_10.htmltag:blogger.com,1999:blog-3343693239455968046.post-8190636980066669512013-06-03T21:48:00.001+02:002013-06-03T22:10:42.610+02:002013-06-03T22:10:42.610+02:00Weekly malware statistics between 2013-05-26 and 2013-06-02This is a report of malware detected by VirusTotal at the time of sample analysis.<br />
The underlying method of analysis is pretty flawed so the information provided should not be used for anything important.<br />
<br />
A total of 13310 samples was analyzed between 2013-05-26 and 2013-06-02.<br />
446 samples was not deemed malicious by VirusTotal at the time of analysis.<br />
3635 samples was not scanned by VirusTotal before at the time of analysis.<br />
<br />
<h2>
File Analysis</h2>
No files has been analysed during the period in question.<br />
<h2>
URL Analysis</h2>
<table><tbody>
<tr><th><div style="text-align: left;">
Engine</div>
</th><th>Detected samples</th><th>Detection ratio</th></tr>
<tr><td>Fortinet</td><td><div style="text-align: right;">
6661</div>
</td><td><div style="text-align: right;">
72%</div>
</td></tr>
<tr><td>BitDefender</td><td><div style="text-align: right;">
3374</div>
</td><td><div style="text-align: right;">
36%</div>
</td></tr>
<tr><td>Sophos</td><td><div style="text-align: right;">
2432</div>
</td><td><div style="text-align: right;">
26%</div>
</td></tr>
<tr><td>Websense ThreatSeeker</td><td><div style="text-align: right;">
2313</div>
</td><td><div style="text-align: right;">
25%</div>
</td></tr>
<tr><td>SCUMWARE_org</td><td><div style="text-align: right;">
2115</div>
</td><td><div style="text-align: right;">
22%</div>
</td></tr>
<tr><td>ADMINUSLabs</td><td><div style="text-align: right;">
1571</div>
</td><td><div style="text-align: right;">
17%</div>
</td></tr>
<tr><td>Yandex Safebrowsing</td><td><div style="text-align: right;">
1075</div>
</td><td><div style="text-align: right;">
11%</div>
</td></tr>
<tr><td>Antiy-AVL</td><td><div style="text-align: right;">
1058</div>
</td><td><div style="text-align: right;">
11%</div>
</td></tr>
<tr><td>ParetoLogic</td><td><div style="text-align: right;">
875</div>
</td><td><div style="text-align: right;">
9%</div>
</td></tr>
<tr><td>Google Safebrowsing</td><td><div style="text-align: right;">
861</div>
</td><td><div style="text-align: right;">
9%</div>
</td></tr>
<tr><td>ESET</td><td><div style="text-align: right;">
838</div>
</td><td><div style="text-align: right;">
9%</div>
</td></tr>
<tr><td>K7AntiVirus</td><td><div style="text-align: right;">
797</div>
</td><td><div style="text-align: right;">
8%</div>
</td></tr>
<tr><td>C-SIRT</td><td><div style="text-align: right;">
688</div>
</td><td><div style="text-align: right;">
7%</div>
</td></tr>
<tr><td>Dr_Web</td><td><div style="text-align: right;">
455</div>
</td><td><div style="text-align: right;">
4%</div>
</td></tr>
<tr><td>CLEAN MX</td><td><div style="text-align: right;">
425</div>
</td><td><div style="text-align: right;">
4%</div>
</td></tr>
<tr><td>Kaspersky</td><td><div style="text-align: right;">
130</div>
</td><td><div style="text-align: right;">
1%</div>
</td></tr>
<tr><td>Minotaur</td><td><div style="text-align: right;">
122</div>
</td><td><div style="text-align: right;">
1%</div>
</td></tr>
<tr><td>Sucuri SiteCheck</td><td><div style="text-align: right;">
76</div>
</td><td><div style="text-align: right;">
0%</div>
</td></tr>
<tr><td>AlienVault</td><td><div style="text-align: right;">
68</div>
</td><td><div style="text-align: right;">
0%</div>
</td></tr>
<tr><td>Phishtank</td><td><div style="text-align: right;">
67</div>
</td><td><div style="text-align: right;">
0%</div>
</td></tr>
<tr><td>Comodo Site Inspector</td><td><div style="text-align: right;">
67</div>
</td><td><div style="text-align: right;">
0%</div>
</td></tr>
<tr><td>Opera</td><td><div style="text-align: right;">
65</div>
</td><td><div style="text-align: right;">
0%</div>
</td></tr>
<tr><td>Netcraft</td><td><div style="text-align: right;">
65</div>
</td><td><div style="text-align: right;">
0%</div>
</td></tr>
<tr><td>CyberCrime</td><td><div style="text-align: right;">
65</div>
</td><td><div style="text-align: right;">
0%</div>
</td></tr>
<tr><td>Malc0de Database</td><td><div style="text-align: right;">
4</div>
</td><td><div style="text-align: right;">
0%</div>
</td></tr>
<tr><td>G-Data</td><td><div style="text-align: right;">
4</div>
</td><td><div style="text-align: right;">
0%</div>
</td></tr>
</tbody></table>
<br />
- Mallory Rasputin, overworked and underpaid malware research intern. You can reach me at <a href="mailto:research@michaelboman.org">research@michaelboman.org</a>.<img src="http://feeds.feedburner.com/~r/michaelboman/LfHQ/~4/vZiXYzrypHw" height="1" width="1"/>Mallory Rasputinhttps://plus.google.com/106039590168685040719noreply@blogger.com0http://blog.michaelboman.org/2013/06/weekly-malware-statistics-between-2013.htmltag:blogger.com,1999:blog-3343693239455968046.post-29279933292681100402013-06-03T20:35:00.000+02:002013-06-03T20:35:00.515+02:002013-06-03T20:35:00.515+02:00Cuckoo Sandbox on Hardware: Installing the clone management serverThe first piece of the puzzle is a cloning server, and for this I am using the <a href="http://www.fogproject.org/">FOG Project</a>. The task of the cloning server is to re-install the hardware node to a know good state (like "revert to snapshot" on virtual machines, or perhaps cloning a new virtual machine from template (like what my "<a href="http://blog.michaelboman.org/2013/04/clone-and-add-python-version.html">CloneAndAdd.py</a>" script does).<br />
<br />
I am running the FOG Server in a Ubuntu OpenVZ container on my Proxmox VE system. Because it is running in a container I need to use the user-space instead of the kernel-space NFS server, but I have documented both parts here.<br />
<h2>
Installing FOG Project server in a OpenVZ container</h2>
Follow these instructions if you want to install FOG in a OpenVZ container, else install FOG on a separate machine or as a VirtualBox/VMWare/etc. VM. I choose OpenVZ as I already have a Proxmox VE installed that takes care of all "infrastructure" services like firwall, DNS etc. Your mileage may vary.<br />
<h3>
Creating a Ubuntu OpenVZ container</h3>
First you need to create a OpenVZ container. You do this by pressing "Create CT" in the upper right corner in the Proxmox VE GUI.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-cUvW3BGqDuw/UZzYmtPvvEI/AAAAAAAAKsU/ql6iWDf7AMU/s1600/Create+OpenVZ+Container+step+1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="216" src="http://3.bp.blogspot.com/-cUvW3BGqDuw/UZzYmtPvvEI/AAAAAAAAKsU/ql6iWDf7AMU/s640/Create+OpenVZ+Container+step+1.PNG" width="640" /></a></div>
<br />
A wizard will start to guide you though the container creation.<br />
<br />
<b>General</b>: First we need to provide a Hostname and a password for the "root" user account.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-HFocU08BooU/UZzLM8XRfiI/AAAAAAAAKq4/gtLLosoej4U/s1600/Create+OpenVZ+Container+step+3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-HFocU08BooU/UZzLM8XRfiI/AAAAAAAAKq4/gtLLosoej4U/s1600/Create+OpenVZ+Container+step+3.PNG" /></a></div>
<br />
<b>Template</b>: In the second step we need to specify what template you want to use for the container. I choose 32-bit Ubuntu 12.04, which is the latest LTS-release as of this writing. Please refer to the Proxmox VE Wiki for information on how to obtain OpenVZ templates for Proxmox VE.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-CyuLyKHoTnQ/UZzLNwCvAVI/AAAAAAAAKrE/A269zIMsT2k/s1600/Create+OpenVZ+Container+step+4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-CyuLyKHoTnQ/UZzLNwCvAVI/AAAAAAAAKrE/A269zIMsT2k/s1600/Create+OpenVZ+Container+step+4.PNG" /></a></div>
<br />
<b>Resources</b>: We need to specify how much resources we should give this new container. I kept RAM and SWAP at default 512 MB each, but increased the disk space to 100 Gb (it is not pre-allocated so it will only use what it actually needs).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-2KRZo96zIdI/UZzLONIvnuI/AAAAAAAAKrI/dYFsMZc8JfU/s1600/Create+OpenVZ+Container+step+5.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-2KRZo96zIdI/UZzLONIvnuI/AAAAAAAAKrI/dYFsMZc8JfU/s1600/Create+OpenVZ+Container+step+5.PNG" /></a></div>
<br />
<b>Network</b>: I choose bridged mode and the correct bridge interface for his machine.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-jb1w2G0YxB4/UZzLOX36_1I/AAAAAAAAKrU/G4blkjCho6E/s1600/Create+OpenVZ+Container+step+6.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-jb1w2G0YxB4/UZzLOX36_1I/AAAAAAAAKrU/G4blkjCho6E/s1600/Create+OpenVZ+Container+step+6.PNG" /></a></div>
<br />
<b>DNS</b>: I left the DNS settings as default so Proxmox VE will use the system wide settings.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-WACAW7m7-3M/UZzLO56idAI/AAAAAAAAKrY/rXSNjAyR7oo/s1600/Create+OpenVZ+Container+step+7.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-WACAW7m7-3M/UZzLO56idAI/AAAAAAAAKrY/rXSNjAyR7oo/s1600/Create+OpenVZ+Container+step+7.PNG" /></a></div>
<br />
<b>Confirm</b>: Confirm the chosen settings<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-xKdB1R0RrWg/UZzLPIhickI/AAAAAAAAKrg/S5UM9nanpMI/s1600/Create+OpenVZ+Container+step+8.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-xKdB1R0RrWg/UZzLPIhickI/AAAAAAAAKrg/S5UM9nanpMI/s1600/Create+OpenVZ+Container+step+8.PNG" /></a></div>
<br />
Template extraction begins. Wait until it has been completed.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-qnlwEw7JaIs/UZzZcYNOCwI/AAAAAAAAKsg/x2eJtEMXXeM/s1600/Create+OpenVZ+Container+step+9.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-qnlwEw7JaIs/UZzZcYNOCwI/AAAAAAAAKsg/x2eJtEMXXeM/s1600/Create+OpenVZ+Container+step+9.PNG" /></a></div>
<br />
Congratulations, you have now a standard 32-bit Ubuntu system in a OpenVZ container.<br />
<h2>
Enabling networking</h2>
<h2>
<span style="font-weight: normal;"><span style="font-size: small;">Once the OpenVZ container has been created you need to start it up. Once booted you can use the Java console to enter the system and configure networking. I am using DHCP with static leases to manage the systems IP networking. That way I can just make a quick change in my DHCP server if I need to change my subnet prefix.</span></span><br />
Updating the system</h2>
<h2>
<span style="font-size: small;"><span style="font-weight: normal;">Once you have the system running and some network connectivity it is a good time to make sure the system is up-to-date. The process is like any other Debian/Ubuntu based system:</span></span><br />
<blockquote class="tr_bq">
<span style="font-size: small;"><span style="font-weight: normal;"># apt-get update</span></span><span style="font-size: small;"><span style="font-weight: normal;"># apt-get dist-upgrade</span></span></blockquote>
Downloading FOG Server</h2>
<h2>
<span style="font-weight: normal;"><span style="font-size: small;">So now we have an up-to-date Ubuntu installation. Time to make it a FOG Project server. Download the FOG Project source from </span></span><span style="font-size: small;"><a href="http://www.fogproject.org/">http://www.fogproject.org/</a><span style="font-weight: normal;"> and unpack </span></span><span style="font-size: small; font-weight: normal;">it, like this:</span><br />
<blockquote class="tr_bq">
<span style="font-weight: normal;"><span style="font-size: small;"># wget -O </span></span><span style="font-size: small; font-weight: normal;">fog_0.32.tar.gz </span><span style="font-size: small; font-weight: normal;">http://sourceforge.net/projects/freeghost/files/FOG/fog_0.32/fog_0.32.tar.gz/download</span><span style="font-weight: normal;"><span style="font-size: small;"># tar xzf </span></span><span style="font-size: small; font-weight: normal;">fog_0.32.tar.gz</span></blockquote>
<span style="font-size: small;"><span style="font-weight: normal;">Unfortunately </span></span><span style="font-size: small; font-weight: normal;">the kernel-space NFS server, which is default in Ubuntu, doesn't work so good in a OpenVZ container - mainly because OpenVZ containers does not have their own kernel. To fix this we need to do two this: Modify the FOG Project installation script and install a user-space NFS server (unfs3).</span><br />
<span style="font-weight: normal;"><span style="font-size: small;"><br /></span></span>
Modifying FOG Server installation script to support OpenVZ</h2>
<h2>
<span style="font-size: small; font-weight: normal;">Edit the </span><span style="font-size: small; font-weight: normal;">fog_0.32/lib/ubuntu/config.sh</span><span style="font-size: small; font-weight: normal;"> file and change any reference of </span><span style="font-size: small;"><span style="font-weight: normal;">nfs-kernel-server</span></span><span style="font-size: small; font-weight: normal;"> to </span><span style="font-size: small; font-weight: normal;">unfs3</span><span style="font-size: small; font-weight: normal;">. </span><br />
<span style="font-size: small; font-weight: normal;"><br /></span>
<span style="font-size: small; font-weight: normal;">You also need to modify the resulting /etc/exports file because unfs3 doesn't work with wildcards. You do this by modifying the </span><span style="font-size: small;"><span style="font-weight: normal;">configureNFS() function in</span></span><span style="font-size: small; font-weight: normal;"> </span><span style="font-size: small; font-weight: normal;">fog_0.32/lib/ubuntu/functions.sh</span><span style="font-size: small; font-weight: normal;"> file and replace the</span></h2>
<div>
<span style="font-size: small; font-weight: normal;"><blockquote class="tr_bq">
echo "/images *(ro,sync,no_wdelay,insecure_locks,no_root_squash,insecure)<br />/images/dev *(rw,sync,no_wdelay,no_root_squash,insecure)" > "${nfsconfig}";</blockquote>
<div>
lines with net addresses, like this:</div>
<div>
<blockquote class="tr_bq">
echo "/images 192.168.1.0/255.255.255.0(ro,sync,no_wdelay,insecure_locks,no_root_squash,insecure)<br />/images/dev 192.168.1.0/255.255.255.0(rw,sync,no_wdelay,no_root_squash,insecure)" > "${nfsconfig}";</blockquote>
</div>
<div>
You will also need to replace the following lines:</div>
</span></div>
<div>
<br />
<blockquote class="tr_bq">
sysv-rc-conf nfs-kernel-server on >/dev/null 2>&1;<br />/etc/init.d/nfs-kernel-server stop >/dev/null 2>&1;<br />/etc/init.d/nfs-kernel-server start >/dev/null 2>&1;</blockquote>
<div>
with</div>
<br />
<br />
<blockquote class="tr_bq">
sysv-rc-conf unfs3 on >/dev/null 2>&1;<br />/etc/init.d/unfs3 stop >/dev/null 2>&1;<br />/etc/init.d/unfs3 start >/dev/null 2>&1;</blockquote>
<div>
Save and quit your editor of choice.</div>
<h2>
Installing user-space NFS-server</h2>
</div>
<div>
Unfortunately Ubuntu has stopped shipping the user-space NFS server unfs3, we we need to build the package ourselves. Don't worry, it is quite easy to do that - just follow the instructions here.</div>
<h3>
Downloading</h3>
Go to <a href="http://mirror.fsf.org/trisquel/pool/main/u/unfs3/">http://mirror.fsf.org/trisquel/pool/main/u/unfs3/</a> and download the files <a href="http://mirror.fsf.org/trisquel/pool/main/u/unfs3/unfs3_0.9.22+dfsg-2.diff.gz">unfs3_0.9.22+dfsg-2.diff.gz</a>, <a href="http://mirror.fsf.org/trisquel/pool/main/u/unfs3/unfs3_0.9.22+dfsg-2.dsc">unfs3_0.9.22+dfsg-2.dsc</a> and <a href="http://mirror.fsf.org/trisquel/pool/main/u/unfs3/unfs3_0.9.22+dfsg.orig.tar.gz">unfs3_0.9.22+dfsg.orig.tar.gz</a>. Once downloaded unpack the unfs3_0.9.22+dfsg.orig.tar.gz archive like this:<br />
<br />
<blockquote class="tr_bq">
# tar xzf unfs3_0.9.22+dfsg.orig.tar.gz</blockquote>
then enter the unpacked directory and apply the unfs3_0.9.22+dfsg-2.diff.gz patch, like this:<br />
# zcat unfs3_0.9.22+dfsg-2.diff.gz | patch -p0<br />
<h3>
Packaging</h3>
Once the source is patched we will create a .deb using the following command:<br />
<blockquote class="tr_bq">
# cd unfs3-0.9.22+dfsg/<br /># dpkg-buildpackage</blockquote>
<div>
To build unfs3 you need to have build-essential installed. You may also need to install additional build dependencies, as directed.</div>
<h3>
Installing</h3>
<div>
Once the unfs3 package is created you install it like this:</div>
<div>
<br /></div>
<div>
# dpkg -i ../unfs3_0.9.22+dfsg-2_i386.deb</div>
<div>
<br /></div>
<div>
We have now a user-space NFS-server (unfs3) running in a OpenVZ container. Good job! If it fails to start make sure that portmap (/etc/init.d/portmap) is started.</div>
<h2>
Installing FOG Project</h2>
The final step is to actually install the FOG Project server itself. Luckily it is a very straight-forward process now that we have prepared everything else:<br />
<blockquote class="tr_bq">
# cd fog_0.32/bin/<br /># ./installfog.sh</blockquote>
Follow the on-screen instructions. As I already have a DHCP-server I reconfigured it to serve FOG Project needs as described at <a href="http://www.fogproject.org/wiki/index.php?title=Modifying_existing_DHCP_server_to_work_with_FOG">http://www.fogproject.org/wiki/index.php?title=Modifying_existing_DHCP_server_to_work_with_FOG</a>.<br />
<br />
After the installation your FOG Server is now running:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-1DFshx77-z4/UZ0UVUNUj6I/AAAAAAAAKsw/OQK57V7MdIc/s1600/FOG+Login+screen.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="314" src="http://2.bp.blogspot.com/-1DFshx77-z4/UZ0UVUNUj6I/AAAAAAAAKsw/OQK57V7MdIc/s640/FOG+Login+screen.PNG" width="640" /></a></div>
<br />
<h2>
Conclusions</h2>
We have now a FOG Project server that will allow us to create and restore physical systems. In the next blog post in the series we will walk through the installation of the physical node and the dependent software.<img src="http://feeds.feedburner.com/~r/michaelboman/LfHQ/~4/n8EphTwBjmU" height="1" width="1"/>Michael Bomanhttps://plus.google.com/104022164521410375587noreply@blogger.com0http://blog.michaelboman.org/2013/06/cuckoo-sandbox-on-hardware-installing.htmltag:blogger.com,1999:blog-3343693239455968046.post-2282527417848324372013-05-27T02:00:00.001+02:002013-05-27T02:00:35.007+02:002013-05-27T02:00:35.007+02:00Weekly malware statistics between 2013-05-19 and 2013-05-26This is a report of malware detected by VirusTotal at the time of sample analysis.<br />The underlying method of analysis is pretty flawed so the information provided should not be used for anything important.<br /><br />A total of 13345 samples was analyzed between 2013-05-19 and 2013-05-26.<br />562 samples was not deemed malicious by VirusTotal at the time of analysis.<br />3296 samples was not scanned by VirusTotal before at the time of analysis.<br /><br /><table><tr><th><div style="text-align: left;">Engine</div></th><th>Detected samples</th><th>Detection raito</th></tr><tr><td>Fortinet</td><td><div style="text-align: right;">6653</div></td><td><div style="text-align: right;">70%</div></td></tr><tr><td>BitDefender</td><td><div style="text-align: right;">2510</div></td><td><div style="text-align: right;">26%</div></td></tr><tr><td>Sophos</td><td><div style="text-align: right;">2376</div></td><td><div style="text-align: right;">25%</div></td></tr><tr><td>Websense ThreatSeeker</td><td><div style="text-align: right;">2190</div></td><td><div style="text-align: right;">23%</div></td></tr><tr><td>SCUMWARE_org</td><td><div style="text-align: right;">2190</div></td><td><div style="text-align: right;">23%</div></td></tr><tr><td>K7AntiVirus</td><td><div style="text-align: right;">1379</div></td><td><div style="text-align: right;">14%</div></td></tr><tr><td>Yandex Safebrowsing</td><td><div style="text-align: right;">1078</div></td><td><div style="text-align: right;">11%</div></td></tr><tr><td>ADMINUSLabs</td><td><div style="text-align: right;">961</div></td><td><div style="text-align: right;">10%</div></td></tr><tr><td>ParetoLogic</td><td><div style="text-align: right;">909</div></td><td><div style="text-align: right;">9%</div></td></tr><tr><td>ESET</td><td><div style="text-align: right;">767</div></td><td><div style="text-align: right;">8%</div></td></tr><tr><td>Google Safebrowsing</td><td><div style="text-align: right;">750</div></td><td><div style="text-align: right;">7%</div></td></tr><tr><td>C-SIRT</td><td><div style="text-align: right;">686</div></td><td><div style="text-align: right;">7%</div></td></tr><tr><td>Antiy-AVL</td><td><div style="text-align: right;">589</div></td><td><div style="text-align: right;">6%</div></td></tr><tr><td>Dr_Web</td><td><div style="text-align: right;">367</div></td><td><div style="text-align: right;">3%</div></td></tr><tr><td>CLEAN MX</td><td><div style="text-align: right;">253</div></td><td><div style="text-align: right;">2%</div></td></tr><tr><td>MalwareDomainList</td><td><div style="text-align: right;">139</div></td><td><div style="text-align: right;">1%</div></td></tr><tr><td>Kaspersky</td><td><div style="text-align: right;">109</div></td><td><div style="text-align: right;">1%</div></td></tr><tr><td>CyberCrime</td><td><div style="text-align: right;">73</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>AlienVault</td><td><div style="text-align: right;">68</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Phishtank</td><td><div style="text-align: right;">66</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Comodo Site Inspector</td><td><div style="text-align: right;">66</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Sucuri SiteCheck</td><td><div style="text-align: right;">65</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Opera</td><td><div style="text-align: right;">64</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Netcraft</td><td><div style="text-align: right;">64</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Avira</td><td><div style="text-align: right;">17</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Malekal</td><td><div style="text-align: right;">4</div></td><td><div style="text-align: right;">0%</div></td></tr></table><br />- Mallory Rasputin, overworked and underpaid malware research intern. You can reach me at <a href='mailto:research@michaelboman.org'>research@michaelboman.org</a>.<br /><img src="http://feeds.feedburner.com/~r/michaelboman/LfHQ/~4/YhZUHnR2KQo" height="1" width="1"/>Mallory Rasputinhttps://plus.google.com/106039590168685040719noreply@blogger.com0http://blog.michaelboman.org/2013/05/weekly-malware-statistics-between-2013_27.htmltag:blogger.com,1999:blog-3343693239455968046.post-3362328235946600252013-05-23T20:44:00.002+02:002013-05-23T20:44:27.965+02:002013-05-23T20:44:27.965+02:00Cross-compiling cuckoomon under LinuxHere is a quick tip on how to compile Cuckoomon under Linux for those who can't or do not want to install a development environment under Windows. <a href="https://github.com/cuckoobox/cuckoomon">Cuckoomon </a>is the DLL (<a href="http://en.wikipedia.org/wiki/Dynamic-link_library">Dynamic-linked Library</a>) that gets injected into the analysed malware sample to monitor the system calls the sample is performing. Unfortunately you will need a Windows environment with a compiler to perform any changes to the DLL. I have managed to cross-compile cuckoomon.dll under Ubuntu Linux by following this process:<br />
<br />
Install MingGW<br />
<blockquote class="tr_bq">
$ sudo apt-get install mingw32</blockquote>
Update Makefile and change<br />
<blockquote class="tr_bq">
CC = gcc</blockquote>
to<br />
<blockquote class="tr_bq">
CC = /usr/bin/i586-mingw32msvc-gcc</blockquote>
Compile the DLL:<br />
<blockquote class="tr_bq">
$ make</blockquote>
And copy the resulting file (cuckoomon.dll) into ~/cuckoo/analyzer/windows/dll/cuckoomon.dll. You don't need to restart Cuckoo Sandbox for the changes to take effect as the file is copied to the guest at the beginning of each analyze task.<img src="http://feeds.feedburner.com/~r/michaelboman/LfHQ/~4/g8_1CWmQ5F4" height="1" width="1"/>Michael Bomanhttps://plus.google.com/104022164521410375587noreply@blogger.com0http://blog.michaelboman.org/2013/05/cross-compiling-cuckoomon-under-linux.htmltag:blogger.com,1999:blog-3343693239455968046.post-68940211067648665272013-05-21T22:04:00.000+02:002013-05-21T22:04:10.467+02:002013-05-21T22:04:10.467+02:00Upcoming article series: Cuckoo Sandbox on Hardware<div>
This is a bit of a heads-up and teaser post. In a series of articles I will disclose on how I perform malware analysis on on-the-iron hardware nodes with Cuckoo Sandbox. Some of the steps are optional, but if you want to achieve high sample throughput on hardware nodes then I highly suggest investing in the extra hardware which is not terrible expensive.</div>
<div>
<br /></div>
<div>
Here is the planned blog posts (and their expected publishing date):</div>
<div>
<ol>
<li>Installing the clone management server (2013-06-03)</li>
<li>Installing the OS and required guest utils on the hardware node (2013-06-17)</li>
<li>Preparing the hardware node for cloning (2013-07-01)</li>
<li>Creating a golden image (2013-07-15)</li>
<li>Reverting to snapshot on hardware using software (2013-07-29)</li>
<li>Rebooting hardware node using software (2013-08-12)</li>
<li>Reverting to snapshot on hardware using hardware (2013-09-16)</li>
<li>Rebooting hardware node using hardware (2013-09-30)</li>
<li>Enabling hardware machine manager in Cuckoo Sandbox (2013-10-14)</li>
</ol>
</div>
<div>
The publishing schedule is based on the time I have available to spend on documenting this as well as not disclosing anything before <a href="http://blog.michaelboman.org/2013/03/call-for-papers-submissions.html">the talk I submitted</a> for <a href="http://44con.com/">44Con</a>. Your comments are much appreciated, do let me know your thoughts about this article series or malware analysis in general.</div>
<img src="http://feeds.feedburner.com/~r/michaelboman/LfHQ/~4/NA7ZjY185o8" height="1" width="1"/>Michael Bomanhttps://plus.google.com/104022164521410375587noreply@blogger.com0http://blog.michaelboman.org/2013/05/upcoming-article-series-cuckoo-sandbox.htmltag:blogger.com,1999:blog-3343693239455968046.post-41157360275662641912013-05-20T02:00:00.001+02:002013-05-20T02:00:26.239+02:002013-05-20T02:00:26.239+02:00Weekly malware statistics between 2013-05-12 and 2013-05-19This is a report of malware detected by VirusTotal at the time of sample analysis.<br />The underlying method of analysis is pretty flawed so the information provided should not be used for anything important.<br /><br />A total of 8882 samples was analyzed between 2013-05-12 and 2013-05-19.<br />409 samples was not deemed malicious by VirusTotal at the time of analysis.<br />2083 samples was not scanned by VirusTotal before at the time of analysis.<br /><br /><table><tr><th><div style="text-align: left;">Engine</div></th><th>Detected samples</th><th>Detection raito</th></tr><tr><td>Fortinet</td><td><div style="text-align: right;">4493</div></td><td><div style="text-align: right;">70%</div></td></tr><tr><td>BitDefender</td><td><div style="text-align: right;">1640</div></td><td><div style="text-align: right;">25%</div></td></tr><tr><td>Sophos</td><td><div style="text-align: right;">1584</div></td><td><div style="text-align: right;">24%</div></td></tr><tr><td>Websense ThreatSeeker</td><td><div style="text-align: right;">1530</div></td><td><div style="text-align: right;">23%</div></td></tr><tr><td>SCUMWARE_org</td><td><div style="text-align: right;">1472</div></td><td><div style="text-align: right;">23%</div></td></tr><tr><td>K7AntiVirus</td><td><div style="text-align: right;">1006</div></td><td><div style="text-align: right;">15%</div></td></tr><tr><td>Yandex Safebrowsing</td><td><div style="text-align: right;">711</div></td><td><div style="text-align: right;">11%</div></td></tr><tr><td>ADMINUSLabs</td><td><div style="text-align: right;">638</div></td><td><div style="text-align: right;">9%</div></td></tr><tr><td>ParetoLogic</td><td><div style="text-align: right;">582</div></td><td><div style="text-align: right;">9%</div></td></tr><tr><td>ESET</td><td><div style="text-align: right;">563</div></td><td><div style="text-align: right;">8%</div></td></tr><tr><td>Google Safebrowsing</td><td><div style="text-align: right;">494</div></td><td><div style="text-align: right;">7%</div></td></tr><tr><td>C-SIRT</td><td><div style="text-align: right;">462</div></td><td><div style="text-align: right;">7%</div></td></tr><tr><td>Antiy-AVL</td><td><div style="text-align: right;">409</div></td><td><div style="text-align: right;">6%</div></td></tr><tr><td>MalwareDomainList</td><td><div style="text-align: right;">280</div></td><td><div style="text-align: right;">4%</div></td></tr><tr><td>Dr_Web</td><td><div style="text-align: right;">176</div></td><td><div style="text-align: right;">2%</div></td></tr><tr><td>CLEAN MX</td><td><div style="text-align: right;">114</div></td><td><div style="text-align: right;">1%</div></td></tr><tr><td>Phishtank</td><td><div style="text-align: right;">60</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Opera</td><td><div style="text-align: right;">56</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Netcraft</td><td><div style="text-align: right;">56</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Comodo Site Inspector</td><td><div style="text-align: right;">51</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>AlienVault</td><td><div style="text-align: right;">51</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Sucuri SiteCheck</td><td><div style="text-align: right;">50</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Avira</td><td><div style="text-align: right;">44</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Kaspersky</td><td><div style="text-align: right;">31</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>CyberCrime</td><td><div style="text-align: right;">22</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Quttera</td><td><div style="text-align: right;">9</div></td><td><div style="text-align: right;">0%</div></td></tr></table><br />- Mallory Rasputin, overworked and underpaid malware research intern. You can reach me at <a href='mailto:research@michaelboman.org'>research@michaelboman.org</a>.<br /><img src="http://feeds.feedburner.com/~r/michaelboman/LfHQ/~4/5h-MSF6qZJY" height="1" width="1"/>Mallory Rasputinhttps://plus.google.com/106039590168685040719noreply@blogger.com0http://blog.michaelboman.org/2013/05/weekly-malware-statistics-between-2013_20.htmltag:blogger.com,1999:blog-3343693239455968046.post-80691079154317861172013-05-17T17:13:00.001+02:002013-05-17T17:13:30.946+02:002013-05-17T17:13:30.946+02:00Running Cuckoo Web and API servers under ApacheI have had reasons to run Cuckoo's web and API servers under Apache web server, part due to stability issues when running it stand-alone, but I also find it more nice when running things under Apache (one place to rule them all...).<br />
<h2>
Preparing web.py and api.py to run under Apache</h2>
Add the following files under ~cuckoo/utils:<br />
<h3>
cuckoo/utils/api.wsgi</h3>
<pre># Copyright (c) 2013, Michael Boman
#
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# 1. Redistributions of source code must retain the above copyright notice,
# this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE FREEBSD PROJECT ''AS IS'' AND ANY EXPRESS OR
# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
# EVENT SHALL THE FREEBSD PROJECT OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
import os
import sys
cur_dir = os.path.dirname(__file__)
os.chdir(cur_dir)
sys.path.append(cur_dir)
import bottle
import api
application = bottle.default_app()</pre>
<h3>
cuckoo/utils/web.wsgi</h3>
<pre># Copyright (c) 2013, Michael Boman
#
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# 1. Redistributions of source code must retain the above copyright notice,
# this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE FREEBSD PROJECT ''AS IS'' AND ANY EXPRESS OR
# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
# EVENT SHALL THE FREEBSD PROJECT OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
import os
import sys
cur_dir = os.path.dirname(__file__)
os.chdir(cur_dir)
sys.path.append(cur_dir)
import bottle
import web
application = bottle.default_app()</pre>
<h2>
Installing and preparing Apache</h2>
To run web.py and api.py under apache we need to have the WSGI (Web Service Gateway Interface) installed. To install Apache and the WSGI module run:<br />
<br />
<pre>$ sudo apt-get install apache2 libapache2-mod-wsgi</pre>
<h2>
Configuring Apache</h2>
You need to create two new site-definitions. Look at the examples below:<br />
<h3>
/etc/apache2/sites-available/cuckoo-api
</h3>
<pre><virtualhost> ServerAdmin michael@michaelboman.org
ServerName mart-api.michaelboman.net
WSGIDaemonProcess api user=mart group=mart processes=1 threads=5
WSGIScriptAlias / /MART/cuckoo/utils/api.wsgi
<directory api.wsgi="" cuckoo="" utils="">
WSGIProcessGroup mart
WSGIApplicationGroup %{GLOBAL}
Order deny,allow
Allow from all
</directory>
ErrorLog /MART/cuckoo/log/api-error.log
LogLevel warn
CustomLog /MART/cuckoo/log/api-access.log combined
ServerSignature Off
</virtualhost></pre>
<h3>
/etc/apache2/sites-available/cuckoo-web</h3>
<pre><virtualhost> ServerAdmin michael@michaelboman.org
ServerName mart-web.michaelboman.net
WSGIDaemonProcess web user=mart group=mart processes=1 threads=5
WSGIScriptAlias / /MART/cuckoo/utils/web.wsgi
<directory cuckoo="" utils="" web.wsgi="">
WSGIProcessGroup mart
WSGIApplicationGroup %{GLOBAL}
Order deny,allow
Allow from all
</directory>
ErrorLog /MART/cuckoo/log/web-error.log
LogLevel warn
CustomLog /MART/cuckoo/log/web-access.log combined
ServerSignature Off</virtualhost>
</pre>
<h2>
Enabling it</h2>
<div>
We need to enable the WSGI module and activate the two site definitions added above. You can do this by running:</div>
<div>
<br /></div>
<pre>$ sudo a2enmod wsgi
$ sudo a2ensite cuckoo-web
$ sudo a2ensite cuckoo-api</pre>
<h2>
Future plans</h2>
Now when I have web.py and api.py running under Apache it should be fairly simple to SSL-enable the services. Stay tuned!<br />
<br /><img src="http://feeds.feedburner.com/~r/michaelboman/LfHQ/~4/dsxAdW5gjCw" height="1" width="1"/>Michael Bomanhttps://plus.google.com/104022164521410375587noreply@blogger.com0http://blog.michaelboman.org/2013/05/running-cuckoo-web-and-api-servers.htmltag:blogger.com,1999:blog-3343693239455968046.post-12405155481502899802013-05-13T02:00:00.001+02:002013-05-13T02:00:15.724+02:002013-05-13T02:00:15.724+02:00Weekly malware statistics between 2013-05-05 and 2013-05-12This is a report of malware detected by VirusTotal at the time of sample analysis.<br />The underlying method of analysis is pretty flawed so the information provided should not be used for anything important.<br /><br />A total of 2119 samples was analyzed between 2013-05-05 and 2013-05-12.<br />103 samples was not deemed malicious by VirusTotal at the time of analysis.<br />307 samples was not scanned by VirusTotal before at the time of analysis.<br /><br /><table><tr><th><div style="text-align: left;">Engine</div></th><th>Detected samples</th><th>Detection raito</th></tr><tr><td>Fortinet</td><td><div style="text-align: right;">982</div></td><td><div style="text-align: right;">57%</div></td></tr><tr><td>Sophos</td><td><div style="text-align: right;">448</div></td><td><div style="text-align: right;">26%</div></td></tr><tr><td>SCUMWARE_org</td><td><div style="text-align: right;">424</div></td><td><div style="text-align: right;">24%</div></td></tr><tr><td>Websense ThreatSeeker</td><td><div style="text-align: right;">346</div></td><td><div style="text-align: right;">20%</div></td></tr><tr><td>Yandex Safebrowsing</td><td><div style="text-align: right;">244</div></td><td><div style="text-align: right;">14%</div></td></tr><tr><td>K7AntiVirus</td><td><div style="text-align: right;">239</div></td><td><div style="text-align: right;">13%</div></td></tr><tr><td>ParetoLogic</td><td><div style="text-align: right;">172</div></td><td><div style="text-align: right;">10%</div></td></tr><tr><td>ADMINUSLabs</td><td><div style="text-align: right;">141</div></td><td><div style="text-align: right;">8%</div></td></tr><tr><td>Google Safebrowsing</td><td><div style="text-align: right;">133</div></td><td><div style="text-align: right;">7%</div></td></tr><tr><td>C-SIRT</td><td><div style="text-align: right;">131</div></td><td><div style="text-align: right;">7%</div></td></tr><tr><td>ESET</td><td><div style="text-align: right;">125</div></td><td><div style="text-align: right;">7%</div></td></tr><tr><td>BitDefender</td><td><div style="text-align: right;">61</div></td><td><div style="text-align: right;">3%</div></td></tr><tr><td>Dr_Web</td><td><div style="text-align: right;">36</div></td><td><div style="text-align: right;">2%</div></td></tr><tr><td>Sucuri SiteCheck</td><td><div style="text-align: right;">12</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Opera</td><td><div style="text-align: right;">12</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Netcraft</td><td><div style="text-align: right;">12</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>AlienVault</td><td><div style="text-align: right;">12</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Phishtank</td><td><div style="text-align: right;">11</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Comodo Site Inspector</td><td><div style="text-align: right;">11</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Antiy-AVL</td><td><div style="text-align: right;">9</div></td><td><div style="text-align: right;">0%</div></td></tr></table><br />- Mallory Rasputin, overworked and underpaid malware research intern. You can reach me at <a href='mailto:research@michaelboman.org'>research@michaelboman.org</a>.<br /><img src="http://feeds.feedburner.com/~r/michaelboman/LfHQ/~4/guKGw3375Xs" height="1" width="1"/>Mallory Rasputinhttps://plus.google.com/106039590168685040719noreply@blogger.com0http://blog.michaelboman.org/2013/05/weekly-malware-statistics-between-2013_13.htmltag:blogger.com,1999:blog-3343693239455968046.post-8484019795394236022013-05-07T19:00:00.000+02:002013-05-08T14:18:44.048+02:002013-05-08T14:18:44.048+02:00Monitoring Cuckoo VMs from the consoleI have had some problems with hung VMs over the last few days. I think I have fixed it now, but meanwhile I am monitoring the status of my analysis machines with the script below. It takes the information from the API-server and renders it nicely in a ASCII table.<br />
<br />
The script depends on the <a href="https://pypi.python.org/pypi/requests">requests</a> and <a href="https://pypi.python.org/pypi/texttable">texttable</a> modules, but else it is pretty standard. You could replace requests with <a href="http://docs.python.org/2/library/urllib.html">urllib</a>, but as I already have requests available on my system and it is much nicer to work with I am using it.<br />
<br />
Here is a screenshot of the script running under "watch".<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-za0wdyocA3M/UYkW9SMvVZI/AAAAAAAAKhE/GLJLlNVj5Pc/s1600/Cuckoo+VM+Status.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="233" src="http://2.bp.blogspot.com/-za0wdyocA3M/UYkW9SMvVZI/AAAAAAAAKhE/GLJLlNVj5Pc/s640/Cuckoo+VM+Status.png" width="640" /></a></div>
<br />
<br />
And here is the code:
<br />
<br />
<pre>#!/usr/bin/env python
import requests
import json
import datetime
from texttable import Texttable
r = requests.get('http://localhost:8090/machines/list')
j = json.loads(r.content)
deltaTime = datetime.timedelta(minutes=10)
currentTime = datetime.datetime.now().replace(microsecond=0)
table = Texttable(max_width=0)
rows = list()
header = ["IP","Label","Locked","Lock change","Name","Platform","Status","Status change","Comment"]
rows.append(header)
for machine in j["machines"]:
lastUpdated = datetime.datetime.strptime(machine["status_changed_on"], "%Y-%m-%d %H:%M:%S")
if machine["locked"]:
locked = "Yes"
else:
locked = "No"
row = [
machine["ip"],
machine["label"],
locked,
machine["locked_changed_on"],
machine["name"],
machine["platform"],
machine["status"],
machine["status_changed_on"]
]
if ((lastUpdated + deltaTime) < currentTime):
row.append(str(currentTime - lastUpdated) + "\nHung???")
else:
row.append(currentTime - lastUpdated)
rows.append(row)
table.add_rows(rows)
print table.draw()
</pre>
<img src="http://feeds.feedburner.com/~r/michaelboman/LfHQ/~4/JXXc8ZhZ-78" height="1" width="1"/>Michael Bomanhttps://plus.google.com/104022164521410375587noreply@blogger.com0http://blog.michaelboman.org/2013/05/i-have-had-some-problems-with-hung-vms.htmltag:blogger.com,1999:blog-3343693239455968046.post-85593470535942235552013-05-06T09:26:00.001+02:002013-05-06T09:26:49.120+02:002013-05-06T09:26:49.120+02:00Weekly malware statistics between 2013-04-28 and 2013-05-05This is a report of malware detected by VirusTotal at the time of sample analysis.<br />The underlying method of analysis is pretty flawed so the information provided should not be used for anything important.<br /><br />A total of 586 samples was analyzed between 2013-04-28 and 2013-05-05.<br />25 samples was not deemed malicious by VirusTotal at the time of analysis.<br />225 samples was not scanned by VirusTotal before at the time of analysis.<br /><br /><table><tr><th><div style="text-align: left;">Engine</div></th><th>Detected samples</th><th>Detection raito</th></tr><tr><td>Fortinet</td><td><div style="text-align: right;">186</div></td><td><div style="text-align: right;">55%</div></td></tr><tr><td>Sophos</td><td><div style="text-align: right;">88</div></td><td><div style="text-align: right;">26%</div></td></tr><tr><td>SCUMWARE_org</td><td><div style="text-align: right;">85</div></td><td><div style="text-align: right;">25%</div></td></tr><tr><td>Websense ThreatSeeker</td><td><div style="text-align: right;">78</div></td><td><div style="text-align: right;">23%</div></td></tr><tr><td>K7AntiVirus</td><td><div style="text-align: right;">50</div></td><td><div style="text-align: right;">14%</div></td></tr><tr><td>Yandex Safebrowsing</td><td><div style="text-align: right;">49</div></td><td><div style="text-align: right;">14%</div></td></tr><tr><td>ParetoLogic</td><td><div style="text-align: right;">32</div></td><td><div style="text-align: right;">9%</div></td></tr><tr><td>ADMINUSLabs</td><td><div style="text-align: right;">29</div></td><td><div style="text-align: right;">8%</div></td></tr><tr><td>Google Safebrowsing</td><td><div style="text-align: right;">28</div></td><td><div style="text-align: right;">8%</div></td></tr><tr><td>C-SIRT</td><td><div style="text-align: right;">27</div></td><td><div style="text-align: right;">8%</div></td></tr><tr><td>ESET</td><td><div style="text-align: right;">23</div></td><td><div style="text-align: right;">6%</div></td></tr><tr><td>Dr_Web</td><td><div style="text-align: right;">5</div></td><td><div style="text-align: right;">1%</div></td></tr><tr><td>BitDefender</td><td><div style="text-align: right;">4</div></td><td><div style="text-align: right;">1%</div></td></tr><tr><td>Sucuri SiteCheck</td><td><div style="text-align: right;">3</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Phishtank</td><td><div style="text-align: right;">3</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Comodo Site Inspector</td><td><div style="text-align: right;">3</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>AlienVault</td><td><div style="text-align: right;">3</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Opera</td><td><div style="text-align: right;">1</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Netcraft</td><td><div style="text-align: right;">1</div></td><td><div style="text-align: right;">0%</div></td></tr></table><br />- Mallory Rasputin, overworked and underpaid malware research intern. You can reach me at <a href='mailto:research@michaelboman.org'>research@michaelboman.org</a>.<br /><img src="http://feeds.feedburner.com/~r/michaelboman/LfHQ/~4/-3iR7WxHq78" height="1" width="1"/>Mallory Rasputinhttps://plus.google.com/106039590168685040719noreply@blogger.com0http://blog.michaelboman.org/2013/05/weekly-malware-statistics-between-2013.htmltag:blogger.com,1999:blog-3343693239455968046.post-70587642672640747332013-04-29T02:00:00.001+02:002013-04-29T02:00:21.902+02:002013-04-29T02:00:21.902+02:00Weekly malware statistics between 2013-04-21 and 2013-04-28This is a report of malware detected by VirusTotal at the time of sample analysis.<br />The underlying method of analysis is pretty flawed so the information provided should not be used for anything important.<br /><br />A total of 5950 samples was analyzed between 2013-04-21 and 2013-04-28.<br />41 samples was not deemed malicious by VirusTotal at the time of analysis.<br />2736 samples was not scanned by VirusTotal before at the time of analysis.<br /><br /><table><tr><th><div style="text-align: left;">Engine</div></th><th>Detected samples</th><th>Detection raito</th></tr><tr><td>Fortinet</td><td><div style="text-align: right;">2651</div></td><td><div style="text-align: right;">83%</div></td></tr><tr><td>GData</td><td><div style="text-align: right;">2503</div></td><td><div style="text-align: right;">78%</div></td></tr><tr><td>Ikarus</td><td><div style="text-align: right;">2497</div></td><td><div style="text-align: right;">78%</div></td></tr><tr><td>Comodo</td><td><div style="text-align: right;">2496</div></td><td><div style="text-align: right;">78%</div></td></tr><tr><td>Emsisoft</td><td><div style="text-align: right;">2477</div></td><td><div style="text-align: right;">78%</div></td></tr><tr><td>BitDefender</td><td><div style="text-align: right;">2469</div></td><td><div style="text-align: right;">77%</div></td></tr><tr><td>Sophos</td><td><div style="text-align: right;">2456</div></td><td><div style="text-align: right;">77%</div></td></tr><tr><td>AntiVir</td><td><div style="text-align: right;">2451</div></td><td><div style="text-align: right;">77%</div></td></tr><tr><td>McAfee-GW-Edition</td><td><div style="text-align: right;">2446</div></td><td><div style="text-align: right;">77%</div></td></tr><tr><td>McAfee</td><td><div style="text-align: right;">2435</div></td><td><div style="text-align: right;">76%</div></td></tr><tr><td>Avast</td><td><div style="text-align: right;">2428</div></td><td><div style="text-align: right;">76%</div></td></tr><tr><td>TrendMicro-HouseCall</td><td><div style="text-align: right;">2418</div></td><td><div style="text-align: right;">76%</div></td></tr><tr><td>NANO-Antivirus</td><td><div style="text-align: right;">2417</div></td><td><div style="text-align: right;">76%</div></td></tr><tr><td>F-Secure</td><td><div style="text-align: right;">2417</div></td><td><div style="text-align: right;">76%</div></td></tr><tr><td>Symantec</td><td><div style="text-align: right;">2403</div></td><td><div style="text-align: right;">75%</div></td></tr><tr><td>Kaspersky</td><td><div style="text-align: right;">2385</div></td><td><div style="text-align: right;">75%</div></td></tr><tr><td>PCTools</td><td><div style="text-align: right;">2296</div></td><td><div style="text-align: right;">72%</div></td></tr><tr><td>K7AntiVirus</td><td><div style="text-align: right;">2266</div></td><td><div style="text-align: right;">71%</div></td></tr><tr><td>nProtect</td><td><div style="text-align: right;">2259</div></td><td><div style="text-align: right;">71%</div></td></tr><tr><td>Agnitum</td><td><div style="text-align: right;">2251</div></td><td><div style="text-align: right;">70%</div></td></tr><tr><td>Panda</td><td><div style="text-align: right;">2230</div></td><td><div style="text-align: right;">70%</div></td></tr><tr><td>AVG</td><td><div style="text-align: right;">2219</div></td><td><div style="text-align: right;">69%</div></td></tr><tr><td>F-Prot</td><td><div style="text-align: right;">2211</div></td><td><div style="text-align: right;">69%</div></td></tr><tr><td>Commtouch</td><td><div style="text-align: right;">2199</div></td><td><div style="text-align: right;">69%</div></td></tr><tr><td>DrWeb</td><td><div style="text-align: right;">2183</div></td><td><div style="text-align: right;">68%</div></td></tr><tr><td>Microsoft</td><td><div style="text-align: right;">2177</div></td><td><div style="text-align: right;">68%</div></td></tr><tr><td>Norman</td><td><div style="text-align: right;">2172</div></td><td><div style="text-align: right;">68%</div></td></tr><tr><td>TrendMicro</td><td><div style="text-align: right;">2138</div></td><td><div style="text-align: right;">67%</div></td></tr><tr><td>MicroWorld-eScan</td><td><div style="text-align: right;">2087</div></td><td><div style="text-align: right;">65%</div></td></tr><tr><td>Jiangmin</td><td><div style="text-align: right;">2051</div></td><td><div style="text-align: right;">64%</div></td></tr><tr><td>VIPRE</td><td><div style="text-align: right;">1956</div></td><td><div style="text-align: right;">61%</div></td></tr><tr><td>ESET-NOD32</td><td><div style="text-align: right;">1948</div></td><td><div style="text-align: right;">61%</div></td></tr><tr><td>AhnLab-V3</td><td><div style="text-align: right;">1782</div></td><td><div style="text-align: right;">56%</div></td></tr><tr><td>eSafe</td><td><div style="text-align: right;">1665</div></td><td><div style="text-align: right;">52%</div></td></tr><tr><td>TheHacker</td><td><div style="text-align: right;">1658</div></td><td><div style="text-align: right;">52%</div></td></tr><tr><td>CAT-QuickHeal</td><td><div style="text-align: right;">1655</div></td><td><div style="text-align: right;">52%</div></td></tr><tr><td>TotalDefense</td><td><div style="text-align: right;">1566</div></td><td><div style="text-align: right;">49%</div></td></tr><tr><td>VBA32</td><td><div style="text-align: right;">1551</div></td><td><div style="text-align: right;">48%</div></td></tr><tr><td>Kingsoft</td><td><div style="text-align: right;">1476</div></td><td><div style="text-align: right;">46%</div></td></tr><tr><td>Antiy-AVL</td><td><div style="text-align: right;">1248</div></td><td><div style="text-align: right;">39%</div></td></tr><tr><td>ClamAV</td><td><div style="text-align: right;">1231</div></td><td><div style="text-align: right;">38%</div></td></tr><tr><td>ViRobot</td><td><div style="text-align: right;">1085</div></td><td><div style="text-align: right;">34%</div></td></tr><tr><td>Rising</td><td><div style="text-align: right;">1009</div></td><td><div style="text-align: right;">31%</div></td></tr><tr><td>SUPERAntiSpyware</td><td><div style="text-align: right;">682</div></td><td><div style="text-align: right;">21%</div></td></tr><tr><td>Malwarebytes</td><td><div style="text-align: right;">677</div></td><td><div style="text-align: right;">21%</div></td></tr><tr><td>SCUMWARE_org</td><td><div style="text-align: right;">132</div></td><td><div style="text-align: right;">4%</div></td></tr><tr><td>Websense ThreatSeeker</td><td><div style="text-align: right;">116</div></td><td><div style="text-align: right;">3%</div></td></tr><tr><td>ByteHero</td><td><div style="text-align: right;">90</div></td><td><div style="text-align: right;">2%</div></td></tr><tr><td>Yandex Safebrowsing</td><td><div style="text-align: right;">71</div></td><td><div style="text-align: right;">2%</div></td></tr><tr><td>K7GW</td><td><div style="text-align: right;">68</div></td><td><div style="text-align: right;">2%</div></td></tr><tr><td>ParetoLogic</td><td><div style="text-align: right;">59</div></td><td><div style="text-align: right;">1%</div></td></tr><tr><td>C-SIRT</td><td><div style="text-align: right;">50</div></td><td><div style="text-align: right;">1%</div></td></tr><tr><td>ADMINUSLabs</td><td><div style="text-align: right;">49</div></td><td><div style="text-align: right;">1%</div></td></tr><tr><td>ESET</td><td><div style="text-align: right;">42</div></td><td><div style="text-align: right;">1%</div></td></tr><tr><td>Google Safebrowsing</td><td><div style="text-align: right;">40</div></td><td><div style="text-align: right;">1%</div></td></tr><tr><td>Dr_Web</td><td><div style="text-align: right;">15</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Phishtank</td><td><div style="text-align: right;">4</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Opera</td><td><div style="text-align: right;">4</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Netcraft</td><td><div style="text-align: right;">4</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Comodo Site Inspector</td><td><div style="text-align: right;">4</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>AlienVault</td><td><div style="text-align: right;">4</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>VirusBuster</td><td><div style="text-align: right;">3</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Sucuri SiteCheck</td><td><div style="text-align: right;">3</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>NOD32</td><td><div style="text-align: right;">3</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>eTrust-Vet</td><td><div style="text-align: right;">1</div></td><td><div style="text-align: right;">0%</div></td></tr></table><br />- Mallory Rasputin, overworked and underpaid malware research intern. You can reach me at <a href='mailto:research@michaelboman.org'>research@michaelboman.org</a>.<br /><img src="http://feeds.feedburner.com/~r/michaelboman/LfHQ/~4/lN5I63KQmW0" height="1" width="1"/>Mallory Rasputinhttps://plus.google.com/106039590168685040719noreply@blogger.com0http://blog.michaelboman.org/2013/04/weekly-malware-statistics-between-2013_29.htmltag:blogger.com,1999:blog-3343693239455968046.post-47867900320002678542013-04-24T20:55:00.000+02:002013-04-24T20:55:08.475+02:002013-04-24T20:55:08.475+02:00Talking about Malware Analysis at OWASP Stockholm 7th May <div class="separator" style="clear: both; text-align: center;">
<a href="https://www.owasp.org/skins/monobook/ologo.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="59" src="https://www.owasp.org/skins/monobook/ologo.png" width="320" /></a></div>
I will be speaking on the topic of automated malware analysis at OWASP Sweden in Stockholm on the 7<sup>th</sup> May between 18:00 - 21:00 at KTH (Kungliga Tekniska Högskolan, Royal Institute of Technology). The talk will build upon my earlier presentations at 44Con, OWASP Sweden (in Gothenburg) and DEEPSEC but contain updated materials as well as more war stories...<br />
<br />
Register at <a href="http://owaspmalwaresthlm.eventbrite.com/">EventBrite</a> for your ticket - but hurry, they are going fast...<img src="http://feeds.feedburner.com/~r/michaelboman/LfHQ/~4/BFz67xCEqp4" height="1" width="1"/>Michael Bomanhttps://plus.google.com/104022164521410375587noreply@blogger.com0http://blog.michaelboman.org/2013/04/talking-about-malware-analysis-at-owasp.htmltag:blogger.com,1999:blog-3343693239455968046.post-3819852021007868432013-04-24T20:34:00.001+02:002013-04-24T20:34:59.705+02:002013-04-24T20:34:59.705+02:00Hacker Hotshot: Malware Analysis on a Shoe String BudgetHere is the recording of my presentation "Malware Analysis on a Shoe-String Budget" that I performed earlier today at Hacker Hotshot. If you have any questions do leave a comment and I'll get back to you.<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="315" src="http://www.youtube.com/embed/76U1ghu663E?rel=0" width="560"></iframe>
<br />
Next up on my presentation schedule is OWASP Sweden in Stockholm on the same topic.<img src="http://feeds.feedburner.com/~r/michaelboman/LfHQ/~4/Oyhmrnq4eRw" height="1" width="1"/>Michael Bomanhttps://plus.google.com/104022164521410375587noreply@blogger.com0http://blog.michaelboman.org/2013/04/hacker-hotshot-malware-analysis-on-shoe.htmltag:blogger.com,1999:blog-3343693239455968046.post-27008704958828769802013-04-22T02:00:00.001+02:002013-04-22T02:00:23.028+02:002013-04-22T02:00:23.028+02:00Weekly malware statistics between 2013-04-14 and 2013-04-21This is a report of malware detected by VirusTotal at the time of sample analysis.<br />The underlying method of analysis is pretty flawed so the information provided should not be used for anything important.<br /><br />A total of 2695 samples was analyzed between 2013-04-14 and 2013-04-21.<br />3 samples was not deemed malicious by VirusTotal at the time of analysis.<br />1290 samples was not scanned by VirusTotal before at the time of analysis.<br /><br /><table><tr><th><div style="text-align: left;">Engine</div></th><th>Detected samples</th><th>Detection raito</th></tr><tr><td>GData</td><td><div style="text-align: right;">1354</div></td><td><div style="text-align: right;">96%</div></td></tr><tr><td>Comodo</td><td><div style="text-align: right;">1348</div></td><td><div style="text-align: right;">96%</div></td></tr><tr><td>Ikarus</td><td><div style="text-align: right;">1347</div></td><td><div style="text-align: right;">96%</div></td></tr><tr><td>AntiVir</td><td><div style="text-align: right;">1346</div></td><td><div style="text-align: right;">96%</div></td></tr><tr><td>Emsisoft</td><td><div style="text-align: right;">1332</div></td><td><div style="text-align: right;">95%</div></td></tr><tr><td>BitDefender</td><td><div style="text-align: right;">1330</div></td><td><div style="text-align: right;">94%</div></td></tr><tr><td>Avast</td><td><div style="text-align: right;">1325</div></td><td><div style="text-align: right;">94%</div></td></tr><tr><td>F-Secure</td><td><div style="text-align: right;">1315</div></td><td><div style="text-align: right;">93%</div></td></tr><tr><td>McAfee</td><td><div style="text-align: right;">1304</div></td><td><div style="text-align: right;">93%</div></td></tr><tr><td>NANO-Antivirus</td><td><div style="text-align: right;">1302</div></td><td><div style="text-align: right;">92%</div></td></tr><tr><td>Kaspersky</td><td><div style="text-align: right;">1302</div></td><td><div style="text-align: right;">92%</div></td></tr><tr><td>McAfee-GW-Edition</td><td><div style="text-align: right;">1297</div></td><td><div style="text-align: right;">92%</div></td></tr><tr><td>TrendMicro-HouseCall</td><td><div style="text-align: right;">1294</div></td><td><div style="text-align: right;">92%</div></td></tr><tr><td>Fortinet</td><td><div style="text-align: right;">1286</div></td><td><div style="text-align: right;">91%</div></td></tr><tr><td>Symantec</td><td><div style="text-align: right;">1264</div></td><td><div style="text-align: right;">90%</div></td></tr><tr><td>Sophos</td><td><div style="text-align: right;">1257</div></td><td><div style="text-align: right;">89%</div></td></tr><tr><td>nProtect</td><td><div style="text-align: right;">1227</div></td><td><div style="text-align: right;">87%</div></td></tr><tr><td>PCTools</td><td><div style="text-align: right;">1213</div></td><td><div style="text-align: right;">86%</div></td></tr><tr><td>F-Prot</td><td><div style="text-align: right;">1186</div></td><td><div style="text-align: right;">84%</div></td></tr><tr><td>Microsoft</td><td><div style="text-align: right;">1184</div></td><td><div style="text-align: right;">84%</div></td></tr><tr><td>Commtouch</td><td><div style="text-align: right;">1179</div></td><td><div style="text-align: right;">84%</div></td></tr><tr><td>Panda</td><td><div style="text-align: right;">1178</div></td><td><div style="text-align: right;">84%</div></td></tr><tr><td>Agnitum</td><td><div style="text-align: right;">1174</div></td><td><div style="text-align: right;">83%</div></td></tr><tr><td>AVG</td><td><div style="text-align: right;">1170</div></td><td><div style="text-align: right;">83%</div></td></tr><tr><td>Norman</td><td><div style="text-align: right;">1158</div></td><td><div style="text-align: right;">82%</div></td></tr><tr><td>DrWeb</td><td><div style="text-align: right;">1151</div></td><td><div style="text-align: right;">82%</div></td></tr><tr><td>K7AntiVirus</td><td><div style="text-align: right;">1136</div></td><td><div style="text-align: right;">81%</div></td></tr><tr><td>TrendMicro</td><td><div style="text-align: right;">1126</div></td><td><div style="text-align: right;">80%</div></td></tr><tr><td>Jiangmin</td><td><div style="text-align: right;">1109</div></td><td><div style="text-align: right;">79%</div></td></tr><tr><td>MicroWorld-eScan</td><td><div style="text-align: right;">1082</div></td><td><div style="text-align: right;">77%</div></td></tr><tr><td>VIPRE</td><td><div style="text-align: right;">1003</div></td><td><div style="text-align: right;">71%</div></td></tr><tr><td>ESET-NOD32</td><td><div style="text-align: right;">995</div></td><td><div style="text-align: right;">70%</div></td></tr><tr><td>AhnLab-V3</td><td><div style="text-align: right;">932</div></td><td><div style="text-align: right;">66%</div></td></tr><tr><td>CAT-QuickHeal</td><td><div style="text-align: right;">870</div></td><td><div style="text-align: right;">62%</div></td></tr><tr><td>TheHacker</td><td><div style="text-align: right;">869</div></td><td><div style="text-align: right;">61%</div></td></tr><tr><td>eSafe</td><td><div style="text-align: right;">855</div></td><td><div style="text-align: right;">60%</div></td></tr><tr><td>TotalDefense</td><td><div style="text-align: right;">847</div></td><td><div style="text-align: right;">60%</div></td></tr><tr><td>VBA32</td><td><div style="text-align: right;">830</div></td><td><div style="text-align: right;">59%</div></td></tr><tr><td>Kingsoft</td><td><div style="text-align: right;">746</div></td><td><div style="text-align: right;">53%</div></td></tr><tr><td>ClamAV</td><td><div style="text-align: right;">707</div></td><td><div style="text-align: right;">50%</div></td></tr><tr><td>Antiy-AVL</td><td><div style="text-align: right;">685</div></td><td><div style="text-align: right;">48%</div></td></tr><tr><td>Rising</td><td><div style="text-align: right;">634</div></td><td><div style="text-align: right;">45%</div></td></tr><tr><td>ViRobot</td><td><div style="text-align: right;">541</div></td><td><div style="text-align: right;">38%</div></td></tr><tr><td>Malwarebytes</td><td><div style="text-align: right;">319</div></td><td><div style="text-align: right;">22%</div></td></tr><tr><td>SUPERAntiSpyware</td><td><div style="text-align: right;">315</div></td><td><div style="text-align: right;">22%</div></td></tr><tr><td>ByteHero</td><td><div style="text-align: right;">58</div></td><td><div style="text-align: right;">4%</div></td></tr><tr><td>VirusBuster</td><td><div style="text-align: right;">2</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>NOD32</td><td><div style="text-align: right;">2</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>eTrust-Vet</td><td><div style="text-align: right;">1</div></td><td><div style="text-align: right;">0%</div></td></tr></table><br />- Mallory Rasputin, overworked and underpaid malware research intern. You can reach me at <a href='mailto:research@michaelboman.org'>research@michaelboman.org</a>.<br /><img src="http://feeds.feedburner.com/~r/michaelboman/LfHQ/~4/U3QDAiGN_18" height="1" width="1"/>Mallory Rasputinhttps://plus.google.com/106039590168685040719noreply@blogger.com0http://blog.michaelboman.org/2013/04/weekly-malware-statistics-between-2013_22.htmltag:blogger.com,1999:blog-3343693239455968046.post-7740785977453762102013-04-16T12:31:00.000+02:002013-04-18T21:52:40.207+02:002013-04-18T21:52:40.207+02:00Presenting Malware Analysis on a shoe-string budget @ Hacker Hotshots<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-E8v-xCMy4Yc/UW0Ym9bHybI/AAAAAAAAKKg/yA-VSGqzJXE/s1600/Screen+Shot+2013-04-16+at+11.22.44+AM.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="200" src="http://3.bp.blogspot.com/-E8v-xCMy4Yc/UW0Ym9bHybI/AAAAAAAAKKg/yA-VSGqzJXE/s200/Screen+Shot+2013-04-16+at+11.22.44+AM.png" width="176" /></a></div>
I will speak about "<a href="http://www.concise-courses.com/infosec/20130424/#">Malware Analysis on a Shoe-string Budget</a>" at "<a href="http://www.concise-courses.com/upcoming/">Hacker Hotshots</a>" on the 24:th April at 9am Pacific, 12pm Eastern.<br />
<br />
Translated into GMT it will be 4pm (16:00), or 6pm (18:00) Swedish local time - if I did my calculations correctly (If not, please leave a comment so I can update the post).<br />
<br />
<b>EDIT</b>: 7pm Swedish local time according to <a href="http://www.timeanddate.com/worldclock/meetingdetails.html?year=2013&month=4&day=24&hour=17&min=0&sec=0&p1=755&p2=239">timeanddate.com</a>. Thanks to <a class="g-profile" href="http://plus.google.com/109080816265338211030" target="_blank">+Fredrik Karlsson</a> for the correction.<br />
<br />
From the presentation description:<br />
<blockquote class="tr_bq">
Michael Is Going To Show You...<br />
<ul>
<li>How To Conduct Malware Analysis On A Shoestring Budget</li>
</ul>
<ul>
<li>How To Processing 10k Malware Samples A Week!</li>
</ul>
<ul>
<li>How To Replicate Michael's Malware Analysis Lab</li>
</ul>
Malware analysis used to be difficult and time-consuming, and the systems available required a lot of manual labour and/or was too expensive for hobbyists. I am a father of five wonderful kids, aged between 15 years and 10 months old. I also work a 40 hour/week and have a 3 hour/day commute to and from work every day. I also don't have ton of money to spend on my weird hobby. Between my job responsibilities, my responsibilities as a father and husband I don't have much time doing malware analysis - yet I am processing almost 10 thousand malware samples a week, or one every minute, every hour of every day of the week. The secret is to automate yourself out of the process, and I will explain how I did it and how you can replicate my malware analysis lab and how to get started with malware analysis.</blockquote>
I hope that you have time to come and watch me live, but if not the session will be recorded.<br />
<br />
<br />
<br /><img src="http://feeds.feedburner.com/~r/michaelboman/LfHQ/~4/hZ71ggy2MFA" height="1" width="1"/>Michael Bomanhttps://plus.google.com/104022164521410375587noreply@blogger.com1http://blog.michaelboman.org/2013/04/presenting-malware-analysis-on-shoe.htmltag:blogger.com,1999:blog-3343693239455968046.post-85838489382167756122013-04-08T02:06:00.001+02:002013-04-08T02:06:58.189+02:002013-04-08T02:06:58.189+02:00Weekly malware statistics between 2013-03-31 and 2013-04-07This is a report of malware detected by VirusTotal at the time of sample analysis.<br />The underlying method of analysis is pretty flawed so the information provided should not be used for anything important.<br /><br />A total of 9745 samples was analyzed between 2013-03-31 and 2013-04-07.<br />436 samples was not deemed malicious by VirusTotal at the time of analysis.<br />2945 samples was not scanned by VirusTotal before at the time of analysis.<br /><br /><table><tr><th><div style="text-align: left;">Engine</div></th><th>Detected samples</th><th>Detection raito</th></tr><tr><td>Comodo</td><td><div style="text-align: right;">5490</div></td><td><div style="text-align: right;">86%</div></td></tr><tr><td>Ikarus</td><td><div style="text-align: right;">5484</div></td><td><div style="text-align: right;">86%</div></td></tr><tr><td>GData</td><td><div style="text-align: right;">5468</div></td><td><div style="text-align: right;">85%</div></td></tr><tr><td>AntiVir</td><td><div style="text-align: right;">5371</div></td><td><div style="text-align: right;">84%</div></td></tr><tr><td>BitDefender</td><td><div style="text-align: right;">5357</div></td><td><div style="text-align: right;">84%</div></td></tr><tr><td>Fortinet</td><td><div style="text-align: right;">5354</div></td><td><div style="text-align: right;">84%</div></td></tr><tr><td>McAfee-GW-Edition</td><td><div style="text-align: right;">5344</div></td><td><div style="text-align: right;">83%</div></td></tr><tr><td>Avast</td><td><div style="text-align: right;">5317</div></td><td><div style="text-align: right;">83%</div></td></tr><tr><td>TrendMicro-HouseCall</td><td><div style="text-align: right;">5315</div></td><td><div style="text-align: right;">83%</div></td></tr><tr><td>Emsisoft</td><td><div style="text-align: right;">5305</div></td><td><div style="text-align: right;">83%</div></td></tr><tr><td>McAfee</td><td><div style="text-align: right;">5296</div></td><td><div style="text-align: right;">83%</div></td></tr><tr><td>F-Secure</td><td><div style="text-align: right;">5295</div></td><td><div style="text-align: right;">83%</div></td></tr><tr><td>Kaspersky</td><td><div style="text-align: right;">5268</div></td><td><div style="text-align: right;">82%</div></td></tr><tr><td>Symantec</td><td><div style="text-align: right;">5212</div></td><td><div style="text-align: right;">81%</div></td></tr><tr><td>NANO-Antivirus</td><td><div style="text-align: right;">5128</div></td><td><div style="text-align: right;">80%</div></td></tr><tr><td>Sophos</td><td><div style="text-align: right;">4897</div></td><td><div style="text-align: right;">76%</div></td></tr><tr><td>DrWeb</td><td><div style="text-align: right;">4882</div></td><td><div style="text-align: right;">76%</div></td></tr><tr><td>PCTools</td><td><div style="text-align: right;">4857</div></td><td><div style="text-align: right;">76%</div></td></tr><tr><td>AVG</td><td><div style="text-align: right;">4825</div></td><td><div style="text-align: right;">75%</div></td></tr><tr><td>K7AntiVirus</td><td><div style="text-align: right;">4754</div></td><td><div style="text-align: right;">74%</div></td></tr><tr><td>Norman</td><td><div style="text-align: right;">4753</div></td><td><div style="text-align: right;">74%</div></td></tr><tr><td>nProtect</td><td><div style="text-align: right;">4739</div></td><td><div style="text-align: right;">74%</div></td></tr><tr><td>F-Prot</td><td><div style="text-align: right;">4712</div></td><td><div style="text-align: right;">74%</div></td></tr><tr><td>Agnitum</td><td><div style="text-align: right;">4657</div></td><td><div style="text-align: right;">73%</div></td></tr><tr><td>Commtouch</td><td><div style="text-align: right;">4610</div></td><td><div style="text-align: right;">72%</div></td></tr><tr><td>Panda</td><td><div style="text-align: right;">4609</div></td><td><div style="text-align: right;">72%</div></td></tr><tr><td>TrendMicro</td><td><div style="text-align: right;">4584</div></td><td><div style="text-align: right;">72%</div></td></tr><tr><td>Microsoft</td><td><div style="text-align: right;">4535</div></td><td><div style="text-align: right;">71%</div></td></tr><tr><td>ESET-NOD32</td><td><div style="text-align: right;">4494</div></td><td><div style="text-align: right;">70%</div></td></tr><tr><td>Jiangmin</td><td><div style="text-align: right;">4418</div></td><td><div style="text-align: right;">69%</div></td></tr><tr><td>VIPRE</td><td><div style="text-align: right;">4413</div></td><td><div style="text-align: right;">69%</div></td></tr><tr><td>MicroWorld-eScan</td><td><div style="text-align: right;">4156</div></td><td><div style="text-align: right;">65%</div></td></tr><tr><td>AhnLab-V3</td><td><div style="text-align: right;">3961</div></td><td><div style="text-align: right;">62%</div></td></tr><tr><td>CAT-QuickHeal</td><td><div style="text-align: right;">3640</div></td><td><div style="text-align: right;">57%</div></td></tr><tr><td>VBA32</td><td><div style="text-align: right;">3518</div></td><td><div style="text-align: right;">55%</div></td></tr><tr><td>Kingsoft</td><td><div style="text-align: right;">3457</div></td><td><div style="text-align: right;">54%</div></td></tr><tr><td>TheHacker</td><td><div style="text-align: right;">3344</div></td><td><div style="text-align: right;">52%</div></td></tr><tr><td>TotalDefense</td><td><div style="text-align: right;">3336</div></td><td><div style="text-align: right;">52%</div></td></tr><tr><td>eSafe</td><td><div style="text-align: right;">3327</div></td><td><div style="text-align: right;">52%</div></td></tr><tr><td>Antiy-AVL</td><td><div style="text-align: right;">2520</div></td><td><div style="text-align: right;">39%</div></td></tr><tr><td>Rising</td><td><div style="text-align: right;">2411</div></td><td><div style="text-align: right;">37%</div></td></tr><tr><td>ClamAV</td><td><div style="text-align: right;">2394</div></td><td><div style="text-align: right;">37%</div></td></tr><tr><td>ViRobot</td><td><div style="text-align: right;">2306</div></td><td><div style="text-align: right;">36%</div></td></tr><tr><td>Malwarebytes</td><td><div style="text-align: right;">1853</div></td><td><div style="text-align: right;">29%</div></td></tr><tr><td>SUPERAntiSpyware</td><td><div style="text-align: right;">1453</div></td><td><div style="text-align: right;">22%</div></td></tr><tr><td>SCUMWARE_org</td><td><div style="text-align: right;">212</div></td><td><div style="text-align: right;">3%</div></td></tr><tr><td>ADMINUSLabs</td><td><div style="text-align: right;">198</div></td><td><div style="text-align: right;">3%</div></td></tr><tr><td>Yandex Safebrowsing</td><td><div style="text-align: right;">196</div></td><td><div style="text-align: right;">3%</div></td></tr><tr><td>ByteHero</td><td><div style="text-align: right;">192</div></td><td><div style="text-align: right;">3%</div></td></tr><tr><td>Websense ThreatSeeker</td><td><div style="text-align: right;">176</div></td><td><div style="text-align: right;">2%</div></td></tr><tr><td>Google Safebrowsing</td><td><div style="text-align: right;">133</div></td><td><div style="text-align: right;">2%</div></td></tr><tr><td>ParetoLogic</td><td><div style="text-align: right;">45</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>ESET</td><td><div style="text-align: right;">36</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Dr_Web</td><td><div style="text-align: right;">17</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Sucuri SiteCheck</td><td><div style="text-align: right;">14</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>AlienVault</td><td><div style="text-align: right;">13</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Avira</td><td><div style="text-align: right;">11</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Comodo Site Inspector</td><td><div style="text-align: right;">10</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>SecureBrain</td><td><div style="text-align: right;">7</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Phishtank</td><td><div style="text-align: right;">6</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Netcraft</td><td><div style="text-align: right;">5</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>VirusBuster</td><td><div style="text-align: right;">4</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Opera</td><td><div style="text-align: right;">4</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>NOD32</td><td><div style="text-align: right;">4</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>Malc0de Database</td><td><div style="text-align: right;">4</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>eTrust-Vet</td><td><div style="text-align: right;">3</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>G-Data</td><td><div style="text-align: right;">1</div></td><td><div style="text-align: right;">0%</div></td></tr><tr><td>C-SIRT</td><td><div style="text-align: right;">1</div></td><td><div style="text-align: right;">0%</div></td></tr></table><br />- Mallory Rasputin, overworked and underpaid malware research intern. You can reach me at <a href='mailto:research@michaelboman.org'>research@michaelboman.org</a>.<br /><img src="http://feeds.feedburner.com/~r/michaelboman/LfHQ/~4/n2w7--vp5LE" height="1" width="1"/>Mallory Rasputinhttps://plus.google.com/106039590168685040719noreply@blogger.com0http://blog.michaelboman.org/2013/04/weekly-malware-statistics-between-2013_8.htmltag:blogger.com,1999:blog-3343693239455968046.post-76050448262096341412013-04-04T07:47:00.000+02:002013-04-04T07:47:00.270+02:002013-04-04T07:47:00.270+02:00RemoveClone.py<a href="http://blog.michaelboman.org/2013/04/clone-and-add-python-version.html">Last Tuesday</a> I blogged about the python version of CloneAndAdd which creates a VirtualBox linked clone and adds it to Cuckoo Sandbox. Here is the other part of the functionality named "RemoveClone.py", which deletes a VirtualBox clone and remove it from the Cuckoo Sandbox configuration files.<br />
<br />
Command usage:<br />
<br />
<pre>usage: RemoveClone.py [-h] CLONE [CLONE ...]
Removes a clone
positional arguments:
CLONE list of clones to remove
optional arguments:
-h, --help show this help message and exit
</pre>
<br />
You run it like this to remove the clone we created in the last post (cuckoo2):<br />
<br />
$ ./RemoveClone.py cuckoo2
<br />
<br />
Code listing:<br />
<br />
<pre>#!/usr/bin/env python
import sys
import os
import re
import time
import random
import subprocess
import argparse
import ConfigParser
from pprint import pprint
import code
sys.path.append(os.path.join(os.path.abspath(os.path.dirname(__file__)), ".."))
from lib.cuckoo.common.constants import CUCKOO_ROOT
Config = ConfigParser.ConfigParser()
def ConfigSectionMap(section):
dict1 = {}
options = Config.options(section)
for option in options:
try:
dict1[option] = Config.get(section, option)
if dict1[option] == -1:
DebugPrint("skip: %s" % option)
except:
print("exception on %s!" % option)
dict1[option] = None
return dict1
def runcmd(cmd):
print "Executing %s" % ' '.join(cmd)
return(subprocess.check_output(cmd))
def RemoveClone(target):
# Init
vbox_conf = os.path.join(CUCKOO_ROOT,"conf","virtualbox.conf")
Config.read(vbox_conf)
VBoxManage = ConfigSectionMap("virtualbox")["path"]
# Turn off the virtual machine
try:
runcmd([VBoxManage,"controlvm",target,"poweroff"])
except:
print "Can't power off machine. Already turned off?"
# Delete the virtual machine
runcmd([VBoxManage,"unregistervm",target,"--delete"])
# Remove host definition
if target in Config.sections():
Config.remove_section(target)
# Add the machine to the list of active machines
vms = ConfigSectionMap("virtualbox")["machines"].split(",") # Create a list of already configured VMS
vms = sorted(set(vms))
vms.remove(target) # Remove the machine
Config.set("virtualbox","machines",','.join(sorted(set(vms)))) # Make sure that each machine is only defined once
# Save the configuration file
cfgfile = open(vbox_conf,'w')
Config.write(cfgfile)
cfgfile.close()
# Done
if __name__ =='__main__':
parser = argparse.ArgumentParser(description='Removes a clone')
parser.add_argument('targets', metavar='CLONE', type=str, nargs='+',help='list of clones to remove')
args = parser.parse_args()
for target in args.targets:
RemoveClone(target)
</pre>
I hope that this is of use for you, and please leave any feedback in the comment section.<img src="http://feeds.feedburner.com/~r/michaelboman/LfHQ/~4/ny1hH-ahK5M" height="1" width="1"/>Michael Bomanhttps://plus.google.com/104022164521410375587noreply@blogger.com0http://blog.michaelboman.org/2013/04/removeclonepy.htmltag:blogger.com,1999:blog-3343693239455968046.post-41304017849969595552013-04-02T22:39:00.000+02:002013-04-03T07:50:12.438+02:002013-04-03T07:50:12.438+02:00Clone and Add, python versionI have re-written my old CloneAndAdd script, which creates clones to be using with Cuckoo, in python and at the same time added some command line options.<br />
<br />
I still depend on compname.exe from <a href="http://www.willowhayes.co.uk/">http://www.willowhayes.co.uk/</a> for renaming the clone, and now I also depend on "<a href="http://technet.microsoft.com/en-us/sysinternals/bb896683.aspx">pskill.exe</a>" from <a href="http://technet.microsoft.com/en-us/sysinternals/">SysInternals</a> to kill the python process as I am updating agent.py to the latest version when cloning.<br />
<br />
I have put agent.py in my autostart folder so it will execute at bootup every time the system starts.
This is the command usage:
<br />
<br />
<pre>usage: CloneAndAdd.py [-h] [--template TEMPLATE] [--snapshot SNAPSHOT]
[--platform PLATFORM] [--username USERNAME]
[--password PASSWORD]
CLONE [CLONE ...]
Create a new clone and add it to the list of available machines
positional arguments:
CLONE list of clones to create
optional arguments:
-h, --help show this help message and exit
--template TEMPLATE Template to clone
--snapshot SNAPSHOT Snapshot to clone
--platform PLATFORM Guest OS
--username USERNAME Username of the VM guest user
--password PASSWORD Password of the VM guest user's password
</pre>
To create a new linked clone from "cuckoo1" with the snapshot of "current" to "cuckoo2" you run it like this:<br />
<br />
$ CloneAndAdd.py --template cuckoo1 --snapshot current --platform windows --username cuckoo --password cuckoo cuckoo2
<br />
<br />
<pre>#!/usr/bin/env python
import sys
import os
import re
import time
import random
import subprocess
import argparse
import ConfigParser
from pprint import pprint
import code
sys.path.append(os.path.join(os.path.abspath(os.path.dirname(__file__)), ".."))
from lib.cuckoo.common.constants import CUCKOO_ROOT
Config = ConfigParser.ConfigParser()
def randomMAC():
mac = [ 0x00, 0x16, 0x3e,
random.randint(0x00, 0x7f),
random.randint(0x00, 0xff),
random.randint(0x00, 0xff) ]
return ''.join(map(lambda x: "%02x" % x, mac))
def getnewmac(hostname):
regex = r"(%s)\s+([0-9A-Fa-f]+)\s+([0-9\.]+)" % hostname
pat = re.compile(regex, re.I | re.S | re.M)
with open("/MART/etc/macs.txt") as fh:
for line in fh:
if pat.search(line):
(hostname,mac,ip) = pat.match(line).groups()
if mac:
return mac
return randomMAC()
def ConfigSectionMap(section):
dict1 = {}
options = Config.options(section)
for option in options:
try:
dict1[option] = Config.get(section, option)
if dict1[option] == -1:
DebugPrint("skip: %s" % option)
except:
print("exception on %s!" % option)
dict1[option] = None
return dict1
def runcmd(cmd):
print "Executing %s" % ' '.join(cmd)
return(subprocess.check_output(cmd))
def CloneAndAdd(template,snapshot,platform,target,username,password):
# Init
vbox_conf = os.path.join(CUCKOO_ROOT,"conf","virtualbox.conf")
Config.read(vbox_conf)
VBoxManage = ConfigSectionMap("virtualbox")["path"]
# Clone the virtual machine
runcmd([VBoxManage,"clonevm",template,"--name",target,"--snapshot",snapshot,"--options","link","--register"])
# Setting guest MAC
newmac = getnewmac(target)
runcmd([VBoxManage,"modifyvm",target,"--macaddress1",newmac])
# Enable memory ballooning
runcmd([VBoxManage,"modifyvm",target,"--pagefusion","on"])
# Start up virtual machine
runcmd([VBoxManage,"startvm",target,"--type",ConfigSectionMap("virtualbox")["mode"]])
# Wait until the virtual machine has booted up
time.sleep(2*60) # FIXME: Need to find a better way to do this...
# Copy the latest Cuckoo Agent to the system
runcmd([VBoxManage,"guestcontrol",target,"execute","--image","c:/Sysinternals/pskill.exe","--username",username,"--password",password,"--verbose","--wait-exit","--wait-stdout","--wait-stderr","--","/ACCEPTEULA","pythonw"])
runcmd([VBoxManage,"guestcontrol",target,"copyto","--username",username,"--password",password,os.path.join(CUCKOO_ROOT,"agent","agent.py"),"C:/Agent/Agent.pyw"])
# Rename the virtual machine guest OS
runcmd([VBoxManage,"guestcontrol",target,"execute","--username",username,"--password",password,"--image","C:/compname.exe","--wait-exit","--","/c",target])
# Reboot the virtual machine
runcmd([VBoxManage,"guestcontrol",target,"execute","--username",username,"--password",password,"--image","C:/WINDOWS/system32/shutdown.exe","--","-r","-f","-t","0"])
# Wait until the virtual machine has booted up
time.sleep(2*60) # FIXME: Need to find a better way to do this....
# Getting guest IP
guestip = runcmd([VBoxManage,"guestproperty","get",target,"/VirtualBox/GuestInfo/Net/0/V4/IP"]).split(" ")[1]
# Create snapshot
runcmd([VBoxManage,"snapshot",target,"take","Initial snapshot from template","--pause"])
runcmd([VBoxManage,"controlvm",target,"poweroff"])
# Add host definition
if not target in Config.sections():
Config.add_section(target)
Config.set(target,"label",target)
Config.set(target,"platform",platform)
Config.set(target,"ip",guestip)
# Add the machine to the list of active machines
vms = ConfigSectionMap("virtualbox")["machines"].split(",") # Create a list of already configured VMS
vms.append(target) # Append the new machine
Config.set("virtualbox","machines",','.join(sorted(set(vms)))) # Make sure that each machine is only defined once
# Save the configuration file
cfgfile = open(vbox_conf,'w')
Config.write(cfgfile)
cfgfile.close()
# Done
if __name__ =='__main__':
parser = argparse.ArgumentParser(description='Create a new clone and add it to the list of available machines')
parser.add_argument('targets', metavar='CLONE', type=str, nargs='+',help='list of clones to create')
parser.add_argument('--template', dest='template', default='MART-XP-Template', help='Template to clone')
parser.add_argument('--snapshot', dest='snapshot', default='current', help='Snapshot to clone')
parser.add_argument('--platform', dest='platform', default='windows', help='Guest OS')
parser.add_argument('--username', dest='username', default='mart', help='Username of the VM guest user')
parser.add_argument('--password', dest='password', default='mart', help='Password of the VM guest user\'s password')
args = parser.parse_args()
for target in args.targets:
CloneAndAdd(args.template,args.snapshot,args.platform,target,args.username,args.password)
</pre>
<br />
I hope to evolve this to a VM-agnostic program where any (Cuckoo supported) VM-technology can be utilised to create (and remove) guest machines, and in time become a standard Cuckoo Sandbox component.<br />
<br /><img src="http://feeds.feedburner.com/~r/michaelboman/LfHQ/~4/qb14IiCHa0g" height="1" width="1"/>Michael Bomanhttps://plus.google.com/104022164521410375587noreply@blogger.com0http://blog.michaelboman.org/2013/04/clone-and-add-python-version.htmltag:blogger.com,1999:blog-3343693239455968046.post-55980429471266570792013-04-01T02:05:00.001+02:002013-04-01T02:05:29.373+02:002013-04-01T02:05:29.373+02:00Weekly malware statistics between 2013-03-24 and 2013-03-31This is a report of malware detected by VirusTotal at the time of sample analysis.<br />The underlying method of analysis is pretty flawed so the information provided should not be used for anything important.<br /><br />A total of 92 samples was analyzed between 2013-03-24 and 2013-03-31.<br />1 samples was not deemed malicious by VirusTotal at the time of analysis.<br />5 samples was not scanned by VirusTotal before at the time of analysis.<br /><br /><table><tr><th><div style="text-align: left;">Engine</div></th><th>Detected samples</th><th>Detection raito</th></tr><tr><td>Fortinet</td><td><div style="text-align: right;">54</div></td><td><div style="text-align: right;">62%</div></td></tr><tr><td>Sophos</td><td><div style="text-align: right;">37</div></td><td><div style="text-align: right;">43%</div></td></tr><tr><td>SCUMWARE_org</td><td><div style="text-align: right;">35</div></td><td><div style="text-align: right;">40%</div></td></tr><tr><td>Websense ThreatSeeker</td><td><div style="text-align: right;">27</div></td><td><div style="text-align: right;">31%</div></td></tr><tr><td>BitDefender</td><td><div style="text-align: right;">14</div></td><td><div style="text-align: right;">16%</div></td></tr><tr><td>nProtect</td><td><div style="text-align: right;">13</div></td><td><div style="text-align: right;">15%</div></td></tr><tr><td>Yandex Safebrowsing</td><td><div style="text-align: right;">13</div></td><td><div style="text-align: right;">15%</div></td></tr><tr><td>TrendMicro-HouseCall</td><td><div style="text-align: right;">13</div></td><td><div style="text-align: right;">15%</div></td></tr><tr><td>TrendMicro</td><td><div style="text-align: right;">13</div></td><td><div style="text-align: right;">15%</div></td></tr><tr><td>Symantec</td><td><div style="text-align: right;">13</div></td><td><div style="text-align: right;">15%</div></td></tr><tr><td>Panda</td><td><div style="text-align: right;">13</div></td><td><div style="text-align: right;">15%</div></td></tr><tr><td>PCTools</td><td><div style="text-align: right;">13</div></td><td><div style="text-align: right;">15%</div></td></tr><tr><td>Norman</td><td><div style="text-align: right;">13</div></td><td><div style="text-align: right;">15%</div></td></tr><tr><td>Kaspersky</td><td><div style="text-align: right;">13</div></td><td><div style="text-align: right;">15%</div></td></tr><tr><td>K7AntiVirus</td><td><div style="text-align: right;">13</div></td><td><div style="text-align: right;">15%</div></td></tr><tr><td>Ikarus</td><td><div style="text-align: right;">13</div></td><td><div style="text-align: right;">15%</div></td></tr><tr><td>GData</td><td><div style="text-align: right;">13</div></td><td><div style="text-align: right;">15%</div></td></tr><tr><td>F-Secure</td><td><div style="text-align: right;">13</div></td><td><div style="text-align: right;">15%</div></td></tr><tr><td>Emsisoft</td><td><div style="text-align: right;">13</div></td><td><div style="text-align: right;">15%</div></td></tr><tr><td>DrWeb</td><td><div style="text-align: right;">13</div></td><td><div style="text-align: right;">15%</div></td></tr><tr><td>Comodo</td><td><div style="text-align: right;">13</div></td><td><div style="text-align: right;">15%</div></td></tr><tr><td>ClamAV</td><td><div style="text-align: right;">13</div></td><td><div style="text-align: right;">15%</div></td></tr><tr><td>CAT-QuickHeal</td><td><div style="text-align: right;">13</div></td><td><div style="text-align: right;">15%</div></td></tr><tr><td>Avast</td><td><div style="text-align: right;">13</div></td><td><div style="text-align: right;">15%</div></td></tr><tr><td>AntiVir</td><td><div style="text-align: right;">13</div></td><td><div style="text-align: right;">15%</div></td></tr><tr><td>ViRobot</td><td><div style="text-align: right;">12</div></td><td><div style="text-align: right;">13%</div></td></tr><tr><td>VIPRE</td><td><div style="text-align: right;">12</div></td><td><div style="text-align: right;">13%</div></td></tr><tr><td>Jiangmin</td><td><div style="text-align: right;">12</div></td><td><div style="text-align: right;">13%</div></td></tr><tr><td>VBA32</td><td><div style="text-align: right;">11</div></td><td><div style="text-align: right;">12%</div></td></tr><tr><td>TheHacker</td><td><div style="text-align: right;">11</div></td><td><div style="text-align: right;">12%</div></td></tr><tr><td>McAfee-GW-Edition</td><td><div style="text-align: right;">11</div></td><td><div style="text-align: right;">12%</div></td></tr><tr><td>McAfee</td><td><div style="text-align: right;">11</div></td><td><div style="text-align: right;">12%</div></td></tr><tr><td>Google Safebrowsing</td><td><div style="text-align: right;">11</div></td><td><div style="text-align: right;">12%</div></td></tr><tr><td>Commtouch</td><td><div style="text-align: right;">11</div></td><td><div style="text-align: right;">12%</div></td></tr><tr><td>AVG</td><td><div style="text-align: right;">11</div></td><td><div style="text-align: right;">12%</div></td></tr><tr><td>Microsoft</td><td><div style="text-align: right;">10</div></td><td><div style="text-align: right;">11%</div></td></tr><tr><td>F-Prot</td><td><div style="text-align: right;">10</div></td><td><div style="text-align: right;">11%</div></td></tr><tr><td>ESET</td><td><div style="text-align: right;">10</div></td><td><div style="text-align: right;">11%</div></td></tr><tr><td>Antiy-AVL</td><td><div style="text-align: right;">10</div></td><td><div style="text-align: right;">11%</div></td></tr><tr><td>AhnLab-V3</td><td><div style="text-align: right;">10</div></td><td><div style="text-align: right;">11%</div></td></tr><tr><td>Rising</td><td><div style="text-align: right;">9</div></td><td><div style="text-align: right;">10%</div></td></tr><tr><td>eSafe</td><td><div style="text-align: right;">8</div></td><td><div style="text-align: right;">9%</div></td></tr><tr><td>TotalDefense</td><td><div style="text-align: right;">8</div></td><td><div style="text-align: right;">9%</div></td></tr><tr><td>SUPERAntiSpyware</td><td><div style="text-align: right;">8</div></td><td><div style="text-align: right;">9%</div></td></tr><tr><td>ParetoLogic</td><td><div style="text-align: right;">8</div></td><td><div style="text-align: right;">9%</div></td></tr><tr><td>ESET-NOD32</td><td><div style="text-align: right;">7</div></td><td><div style="text-align: right;">8%</div></td></tr><tr><td>NOD32</td><td><div style="text-align: right;">6</div></td><td><div style="text-align: right;">6%</div></td></tr><tr><td>AlienVault</td><td><div style="text-align: right;">6</div></td><td><div style="text-align: right;">6%</div></td></tr><tr><td>Kingsoft</td><td><div style="text-align: right;">5</div></td><td><div style="text-align: right;">5%</div></td></tr><tr><td>eTrust-Vet</td><td><div style="text-align: right;">4</div></td><td><div style="text-align: right;">4%</div></td></tr><tr><td>MicroWorld-eScan</td><td><div style="text-align: right;">4</div></td><td><div style="text-align: right;">4%</div></td></tr><tr><td>Agnitum</td><td><div style="text-align: right;">4</div></td><td><div style="text-align: right;">4%</div></td></tr><tr><td>ADMINUSLabs</td><td><div style="text-align: right;">4</div></td><td><div style="text-align: right;">4%</div></td></tr><tr><td>Opera</td><td><div style="text-align: right;">3</div></td><td><div style="text-align: right;">3%</div></td></tr><tr><td>Netcraft</td><td><div style="text-align: right;">3</div></td><td><div style="text-align: right;">3%</div></td></tr><tr><td>VirusBuster</td><td><div style="text-align: right;">2</div></td><td><div style="text-align: right;">2%</div></td></tr><tr><td>Sucuri SiteCheck</td><td><div style="text-align: right;">2</div></td><td><div style="text-align: right;">2%</div></td></tr><tr><td>Phishtank</td><td><div style="text-align: right;">2</div></td><td><div style="text-align: right;">2%</div></td></tr><tr><td>Dr_Web</td><td><div style="text-align: right;">2</div></td><td><div style="text-align: right;">2%</div></td></tr><tr><td>ByteHero</td><td><div style="text-align: right;">2</div></td><td><div style="text-align: right;">2%</div></td></tr><tr><td>NANO-Antivirus</td><td><div style="text-align: right;">1</div></td><td><div style="text-align: right;">1%</div></td></tr><tr><td>Malwarebytes</td><td><div style="text-align: right;">1</div></td><td><div style="text-align: right;">1%</div></td></tr><tr><td>Comodo Site Inspector</td><td><div style="text-align: right;">1</div></td><td><div style="text-align: right;">1%</div></td></tr><tr><td>Avira</td><td><div style="text-align: right;">1</div></td><td><div style="text-align: right;">1%</div></td></tr></table><br />- Mallory Rasputin, overworked and underpaid malware research intern. You can reach me at <a href='mailto:research@michaelboman.org'>research@michaelboman.org</a>.<br /><img src="http://feeds.feedburner.com/~r/michaelboman/LfHQ/~4/tDto434UrZo" height="1" width="1"/>Mallory Rasputinhttps://plus.google.com/106039590168685040719noreply@blogger.com0http://blog.michaelboman.org/2013/04/weekly-malware-statistics-between-2013.htmltag:blogger.com,1999:blog-3343693239455968046.post-49970681161502163042013-03-18T02:01:00.001+01:002013-03-18T02:01:23.743+01:002013-03-18T02:01:23.743+01:00Weekly malware statistics between 2013-03-10 and 2013-03-17This is a report of malware detected by VirusTotal at the time of sample analysis.<br />The underlying method of analysis is pretty flawed so the information provided should not be used for anything important.<br /><br />A total of 0 samples was analyzed between 2013-03-10 and 2013-03-17.<br />0 samples was not deemed malicious by VirusTotal at the time of analysis.<br />0 samples was not scanned by VirusTotal before at the time of analysis.<br /><br /><table><tr><th><div style="text-align: left;">Engine</div></th><th>Detected samples</th><th>Detection raito</th></tr></table><br />- Mallory Rasputin, overworked and underpaid malware research intern. You can reach me at <a href='mailto:research@michaelboman.org'>research@michaelboman.org</a>.<br /><img src="http://feeds.feedburner.com/~r/michaelboman/LfHQ/~4/qIWRCuWL6d0" height="1" width="1"/>Mallory Rasputinhttps://plus.google.com/106039590168685040719noreply@blogger.com1http://blog.michaelboman.org/2013/03/weekly-malware-statistics-between-2013_18.htmltag:blogger.com,1999:blog-3343693239455968046.post-48747883385991068322013-03-12T21:47:00.000+01:002013-03-12T21:47:00.486+01:002013-03-12T21:47:00.486+01:00Call for Papers submissionsI have submitted a few presentations to the conferences I spoke at last year, which I hope will be accepted. The presentation offers has been made exclusively to each conference, and will be performed there first if accepted.<br />
<h2>
44Con 2013</h2>
<h3>
Malware analysis on non-virtual environments</h3>
Malware analysis are today mostly done in virtual machines as they are cheaper and easier to manage compared to hardware boxes. Unfortunately malware developers knows this and are applying a lot of tricks to make it hard for a malware analyst to reverse engineer the samples. I have developed a way to manage standard desktop PCs to be using in malware analysis using open source software and some cheap off-the-shelf hardware.<br />
<h2>
DEEPSEC 2013</h2>
<h3>
Malware datamining and attribution</h3>
Greg Hoglund explained at BlackHat 2010 that the development environments that malware authors use leaves traces in the code which can be used to attribute malware to a a individual or a group of individuals. Not with the precision of name, date of birth and address but with evidence that a arrested suspects computer can be analysed and compared with the "tool marks" on the collected malware samples. This talk will present the results of the analysis on malware collected by the MART Project as well as the tools created to perform the analysis. The tools will be released at the conference.<br />
<br />
I will keep you guys updated if the talks gets accepted (or rejected) and any other conferences I submit to in the same format as above.<img src="http://feeds.feedburner.com/~r/michaelboman/LfHQ/~4/I5Qdd0XC6QE" height="1" width="1"/>Michael Bomanhttps://plus.google.com/104022164521410375587noreply@blogger.com0http://blog.michaelboman.org/2013/03/call-for-papers-submissions.htmltag:blogger.com,1999:blog-3343693239455968046.post-4765728198392614562013-03-11T02:02:00.001+01:002013-03-11T02:02:40.147+01:002013-03-11T02:02:40.147+01:00Weekly malware statistics between 2013-03-03 and 2013-03-10This is a report of malware detected by VirusTotal at the time of sample analysis.<br />The underlying method of analysis is pretty flawed so the information provided should not be used for anything important.<br /><br />A total of 1285 samples was analyzed between 2013-03-03 and 2013-03-10.<br />40 samples was not deemed malicious by VirusTotal at the time of analysis.<br />739 samples was not scanned by VirusTotal before at the time of analysis.<br /><br /><table><tr><th><div style="text-align: left;">Engine</div></th><th>Detected samples</th><th>Detection raito</th></tr><tr><td>McAfee-GW-Edition</td><td><div style="text-align: right;">391</div></td><td><div style="text-align: right;">77%</div></td></tr><tr><td>Malwarebytes</td><td><div style="text-align: right;">387</div></td><td><div style="text-align: right;">76%</div></td></tr><tr><td>AntiVir</td><td><div style="text-align: right;">372</div></td><td><div style="text-align: right;">73%</div></td></tr><tr><td>Fortinet</td><td><div style="text-align: right;">359</div></td><td><div style="text-align: right;">70%</div></td></tr><tr><td>ESET-NOD32</td><td><div style="text-align: right;">354</div></td><td><div style="text-align: right;">69%</div></td></tr><tr><td>PCTools</td><td><div style="text-align: right;">349</div></td><td><div style="text-align: right;">68%</div></td></tr><tr><td>GData</td><td><div style="text-align: right;">344</div></td><td><div style="text-align: right;">67%</div></td></tr><tr><td>BitDefender</td><td><div style="text-align: right;">335</div></td><td><div style="text-align: right;">66%</div></td></tr><tr><td>Ikarus</td><td><div style="text-align: right;">314</div></td><td><div style="text-align: right;">62%</div></td></tr><tr><td>VIPRE</td><td><div style="text-align: right;">307</div></td><td><div style="text-align: right;">60%</div></td></tr><tr><td>F-Secure</td><td><div style="text-align: right;">306</div></td><td><div style="text-align: right;">60%</div></td></tr><tr><td>Kaspersky</td><td><div style="text-align: right;">299</div></td><td><div style="text-align: right;">59%</div></td></tr><tr><td>McAfee</td><td><div style="text-align: right;">298</div></td><td><div style="text-align: right;">58%</div></td></tr><tr><td>DrWeb</td><td><div style="text-align: right;">271</div></td><td><div style="text-align: right;">53%</div></td></tr><tr><td>CAT-QuickHeal</td><td><div style="text-align: right;">263</div></td><td><div style="text-align: right;">51%</div></td></tr><tr><td>MicroWorld-eScan</td><td><div style="text-align: right;">260</div></td><td><div style="text-align: right;">51%</div></td></tr><tr><td>Comodo</td><td><div style="text-align: right;">249</div></td><td><div style="text-align: right;">49%</div></td></tr><tr><td>Symantec</td><td><div style="text-align: right;">246</div></td><td><div style="text-align: right;">48%</div></td></tr><tr><td>Avast</td><td><div style="text-align: right;">239</div></td><td><div style="text-align: right;">47%</div></td></tr><tr><td>AhnLab-V3</td><td><div style="text-align: right;">239</div></td><td><div style="text-align: right;">47%</div></td></tr><tr><td>Emsisoft</td><td><div style="text-align: right;">232</div></td><td><div style="text-align: right;">45%</div></td></tr><tr><td>TrendMicro-HouseCall</td><td><div style="text-align: right;">227</div></td><td><div style="text-align: right;">44%</div></td></tr><tr><td>AVG</td><td><div style="text-align: right;">226</div></td><td><div style="text-align: right;">44%</div></td></tr><tr><td>F-Prot</td><td><div style="text-align: right;">219</div></td><td><div style="text-align: right;">43%</div></td></tr><tr><td>K7AntiVirus</td><td><div style="text-align: right;">218</div></td><td><div style="text-align: right;">43%</div></td></tr><tr><td>Jiangmin</td><td><div style="text-align: right;">210</div></td><td><div style="text-align: right;">41%</div></td></tr><tr><td>NANO-Antivirus</td><td><div style="text-align: right;">206</div></td><td><div style="text-align: right;">40%</div></td></tr><tr><td>Rising</td><td><div style="text-align: right;">202</div></td><td><div style="text-align: right;">39%</div></td></tr><tr><td>TotalDefense</td><td><div style="text-align: right;">195</div></td><td><div style="text-align: right;">38%</div></td></tr><tr><td>Kingsoft</td><td><div style="text-align: right;">191</div></td><td><div style="text-align: right;">37%</div></td></tr><tr><td>Panda</td><td><div style="text-align: right;">189</div></td><td><div style="text-align: right;">37%</div></td></tr><tr><td>Norman</td><td><div style="text-align: right;">184</div></td><td><div style="text-align: right;">36%</div></td></tr><tr><td>VBA32</td><td><div style="text-align: right;">175</div></td><td><div style="text-align: right;">34%</div></td></tr><tr><td>TrendMicro</td><td><div style="text-align: right;">165</div></td><td><div style="text-align: right;">32%</div></td></tr><tr><td>nProtect</td><td><div style="text-align: right;">155</div></td><td><div style="text-align: right;">30%</div></td></tr><tr><td>Agnitum</td><td><div style="text-align: right;">128</div></td><td><div style="text-align: right;">25%</div></td></tr><tr><td>Commtouch</td><td><div style="text-align: right;">127</div></td><td><div style="text-align: right;">25%</div></td></tr><tr><td>Microsoft</td><td><div style="text-align: right;">120</div></td><td><div style="text-align: right;">23%</div></td></tr><tr><td>SUPERAntiSpyware</td><td><div style="text-align: right;">104</div></td><td><div style="text-align: right;">20%</div></td></tr><tr><td>Sophos</td><td><div style="text-align: right;">95</div></td><td><div style="text-align: right;">18%</div></td></tr><tr><td>ClamAV</td><td><div style="text-align: right;">58</div></td><td><div style="text-align: right;">11%</div></td></tr><tr><td>eSafe</td><td><div style="text-align: right;">44</div></td><td><div style="text-align: right;">8%</div></td></tr><tr><td>TheHacker</td><td><div style="text-align: right;">41</div></td><td><div style="text-align: right;">8%</div></td></tr><tr><td>Antiy-AVL</td><td><div style="text-align: right;">35</div></td><td><div style="text-align: right;">6%</div></td></tr><tr><td>ViRobot</td><td><div style="text-align: right;">14</div></td><td><div style="text-align: right;">2%</div></td></tr><tr><td>ByteHero</td><td><div style="text-align: right;">3</div></td><td><div style="text-align: right;">0%</div></td></tr></table><br />- Mallory Rasputin, overworked and underpaid malware research intern. You can reach me at <a href='mailto:research@michaelboman.org'>research@michaelboman.org</a>.<br /><img src="http://feeds.feedburner.com/~r/michaelboman/LfHQ/~4/07yn-IAj6r8" height="1" width="1"/>Mallory Rasputinhttps://plus.google.com/106039590168685040719noreply@blogger.com0http://blog.michaelboman.org/2013/03/weekly-malware-statistics-between-2013_11.html