Cuckoo GSOC: about winners and winners

I hope you already know, this year Cuckoo Sandbox joined the Google Summer of Code program thanks to the Honeynet Project.

We proposed two project ideas: a Linux analyzer project and a Mac OS X analyzer project.

We got a lot of submissions, many talented and skilled students applied with their project proposal. Sadly Google gave only 8 slots for all the Honeynet organisation, so trying to decide which lucky students would eventually be accepted was an hard task.

Difficult decisions unfortunately had to be made to best use the limited number of slots, so only the best student of all Cuckoo project ideas was selected.

The winner was Dmitry Rodionov with the Mac OS X analyzer project. He will work with me and Jurriaan during this summer to extend Cuckoo analysis capabilities to Mac OS X. If you are interested in, you can follow the progress in a public GitHub repository.

At some point several students who applied to the Linux project started to discuss about the project regarding from the GSOC results, asking for our help on some design ideas. That was amazing to me, they are pushed by curiosity. They are winners too.

Cuckoo GSOC: about winners and winners

This OVF package requires unsupported hardware

I was trying to import a virtual image in OVA format inside a Vmware ESXi (or vSphere Hypervisor as it is dubbed today) when I stumbled in this error:

This OVF package requires unsupported hardware.
Details: Line 33: Unsupported hardware family 'virtualbox-2.2'.

As you che see in the following image:

20130530152156

This error is mentioning some kind of unsupported hardware by vSphere hypervisor, what happened?

It usually occur when an OVA appliance exported by VirtualBox is imported in vSphere, the default hardware format used by VirtualBox doesn’t fit the vSphere one, so it is unable to understand how to import the machine.

To fix you should convert the OVA file in an OVF file compatible with vSphere, thus this post could be titled “how to convert and OVA in OVF” too.

First of all download the free converter: Vmware OFT Tool.

Now you can convert the OVA in an OVF with the following command:

ovftool.exe --lax source.ova destination.ovf

This command will create three files: a .MF file, an .OVF file and a .VMDK.

Open the .OVF file in a text editor and change all VirtualBox hardware.

Change this:

<vssd:VirtualSystemType>virtualbox-2.2</vssd:VirtualSystemType>

with:

<vssd:VirtualSystemType>vmx-07</vssd:VirtualSystemType>

Change this:

<Item>
<rasd:Address>0</rasd:Address>
<rasd:Caption>sataController0</rasd:Caption>
<rasd:Description>SATA Controller</rasd:Description>
<rasd:ElementName>sataController0</rasd:ElementName>
<rasd:InstanceID>5</rasd:InstanceID>
<rasd:ResourceSubType>AHCI</rasd:ResourceSubType>
<rasd:ResourceType>20</rasd:ResourceType>
</Item>

with:

<Item>
<rasd:Address>0</rasd:Address>
<rasd:Caption>SCSIController</rasd:Caption>
<rasd:Description>SCSI Controller</rasd:Description>
<rasd:ElementName>SCSIController</rasd:ElementName>
<rasd:InstanceID>5</rasd:InstanceID>
<rasd:ResourceSubType>lsilogic</rasd:ResourceSubType>
<rasd:ResourceType>6</rasd:ResourceType>
</Item>

Save and close. Now your edited file screwed the integrity check. To fix it calculate the SHA1 for the .OVF file (for example using sha1sum or fciv.exe), open the .MF file a substitute the present hash with the calculated one.

Now all should work.

This OVF package requires unsupported hardware

Cuckoo Sandbox Summer of Code 2015

This summer the Cuckoo Sandbox project is participating the Google Summer of Code 2015, thanks to a big effort of the Honeynet Project.
This is a great opportunity for students who would like to work on Cuckoo and get paid for it! This is a great challenge and an huge opportunity to work on a real malware sandbox, write code and gain valuable experience, and help improving the open source security tools ecosystem.
Almost all college and graduate students are eligible, we are searching for problem solving people with strong development skills who would like to learn about malware and OS (Linux and Mac OS X) internals.

Cuckoo Projects

The proposed Cuckoo project are the following (taken from Honeynet GSOC ideas):

  • Project Name: Project 18 – Cuckoo Sandbox #1: Support for Linux binaries
    Mentor: Alessandro Tanasi (IT)
    Backup mentor: TBD
    Skills required: Python, Linux internals, Django (optional)
    Project type: Extend and improve existing library
    Project goal: Improve Cuckoo Sandbox to support analysis of Linux malware.
    Description: We would like to expand Cuckoo to support execution of Linux malware. To develop this feature it is required to design and write a custom python analyzer (a little engine with modules), that will follow Cuckoo’s existing win32 architecture to run the malware inside a Linux virtual machine, instrument and record the malware behaviour then return the execution analysis information back to Cuckoo’s existing reporting components.
  • Project Name: Project 19 – Cuckoo Sandbox #2: Support for Mac OS binaries
    Mentor: Alessandro Tanasi (IT)
    Backup mentor: TBD
    Skills required: Python, Mac OS X internals, Django (optional)
    Project type: Extend and improve existing library
    Project goal: Improve Cuckoo Sandbox to support analysis of Mac OS X malware.
    Description: We would like to expand Cuckoo to support execution of Mac OS X malware. To develop this feature it is required to design and write a custom python analyzer (a little engine with modules), that will follow Cuckoo’s existing win32 architecture to run the malware inside a Mac OS X virtual machine, instrument and record the malware behaviour then return the execution analysis information back to Cuckoo’s existing reporting components.

Who is eligible?

You have to meet the following requirements to apply to a Cuckoo GSOC Project:

  • You should be a college or graduate students.
  • You should not have a job.
  • Python knowledge is required.
  • Mac OS X or Linux internals knowledge is required.

Where to  start?

First of all I would recommend to read, read and read again all the pages related to GSOC on Google GSOC website and Honeynet GSOC, it is really mandatory to understand how a Google Summer of Code works, what you are expected to do and what you can expect.

A fundamental link is the GSOC timeline where all GSOC phases are explained with all the deadlines. For example today we are in a phase where wannabe students talks with their mentors to understand as much as they can about the technology and the project.

For example I would suggest to:

  • Install and start to play with Cuckoo.
  • Read the documentation and the code to understand how it works.
  • Check the GitHub page to understand how Cuckoo’s development works.
  • Try to think about how to design the implementation of the project you choose and start to learn things.
  • If you need some clarifications get in touch with me or other Cuckoo’s developer.

How to apply?

You should apply on Google GSOC page, applications are only accepted from March 16 until March 27 at 19:00 UTC, so pinpoint it on you calendar.

Application should be submitted using the “Log in” button in the “Student” area,  I suggest you to take your time to prepare your application.

Get in touch

It is encouraged to talk with your project mentors, for example:

  • Join the Honeynet GSOC mailing list and write an email to present yourself.
  • Join the Honeynet GSOC IRC channel #gsoc-honeynet on irc.freenode.net to about the GSOC project and understand how it works. You can also get in touch with Cuckoo’s mentors here.
  • Join the Cuckoo IRC channel #cuckoosandbox IRC channel on irc.freenode.net to talk with Cuckoo’s developers and talk about the project.

Links you need

A bunch of links, a starting point and must read:

Cuckoo Sandbox Summer of Code 2015

Cuckoo Sandbox 1.2 released

After a while we finally released Cuckoo Sandbox 1.2!

It is one of the Cuckoo’s release with the most impressive amount of new features, just to mention a few:

  • XenServer machinery support
  • Physical machine support, to run analysis on bare metal
  • Comparative reporting, you can compare analysis in a fancy way
  • Improved visualisation of network data

A complete list of feature is available in the announce post, I kindly suggest to have a look over it.

Cuckoo Sandbox 1.2 released

New Ghiro website

It seems that the old Ghiro website was too hard for understand for people visiting it.

All we know people stops on websites few seconds, so contents should be delivered in an efficient way, with a simple layout and  short web page.

After one year we read about people that barely were able to understand what Ghiro is, if it is an automated digital forensic tool or a brand new Photoshop clone. We read about people asking where they can download it, how much it costs a license and so on.

So our burlone, Ghiro’s design engineer, put together a brand new website, check it out it at http://www.getghiro.org/ and let us know if you like it.

New Ghiro website