Monday, February 7, 2011

Cuckoo: Simple Automated Malware Analysis Sandbox

Cuckoo is a very simple automated malware analysis sandbox.

It started as a project I developed during Google Summer of Code 2010 within The Honeynet Project organization. During that period, under the guidance of my mentor Felix Leder, the basis were thrown to what Cuckoo has grown to be now.

The ideas behind the development of Cuckoo are:

  • provide a completely Open Source product to be released under GPL, both in order to allow everyone to customize it as much as possible, as well as in order to make it grow to what could become a community-effort designed tool.
  • provide an instrument able to analyze any kind of malicious file and get the best behavioral analysis out of it.
  • provide a sandbox which can be configured to run both on virtual machines as well as on metal.
  • make it able to be distributed.

Cuckoo still has a long road ahead before achieving all the goals that were initially set, but it is on the right path ;-).

Current Features:

  • Retrieve files from remote URLs and analyze them.
  • Trace relevant API calls for behavioral analysis.
  • Recursively monitor newly spawned processes.
  • Dump generated network traffic.
  • Run concurrent analysis on multiple machines.
  • Support custom analysis package based on AutoIt3 scripting.
  • Intercept downloaded and deleted files.
  • Take screenshots during runtime.

No comments:

Post a Comment