Senior Project - Dynamic Malware Analysis System

[Smart Error]

Hello guys,
I would like to take your advice in doing my senior project for BS.c
I am planning to build a system for dynamic analysis which has a sandboxie for visualization

the idea is the user can sends his sample to the system online, the system receives it and execute it under sandboxie, and other tools - i will implement them - which observe the behavior of that sample.

its works as same as ThreatExpert..

the topic is open for anyone to give me his/her advice .. like which language to choose for implementing that tools, what should i take in concern ..etc

thank you for ur attention .. =)

 

[Ink]

I would love to help, but I have no idea how to/or what to suggest.

 

[Smart Error]

Np, thnx alot for paying attention =)

 

[McLovin]

So basically you building a system that when someone sends something to the server under Sandbox you then observe the behavior of that file?

 

[Smart Error]

yea, the server will be on VirtualBox, and SandBoxie Installed on it ..
and there's some tools that i want to implement for observing the malware's behavior .. and take a snapshot for any pop-up windows
also, i will use VirusTotal Public API to scan it with 42 AVs ..
undetected samples .. will be sent to each security company by the system .. so other users who do not use the system will benefit from it by receiving definitions updates ..

each report will be saved on a cloud database with its MD5 .. so later on the user when he sents a sample .. it will check the MD5 first
if it exists .. it will retrieve the report on his email .. and if its not .. it will start analyzing

 

[moonshine]

That's a great idea. I'm willing to help so just send me a PM about it.

 

[McLovin]

Sound like a great idea. Question what is the server specs?

 

[Smart Error]

waiting for ur suggestions =)

 

[bogdan]

I have no idea if this helps:
Buster Sandbox Analyzeris an application that does dynamic analysis thing using sandboxie.
Zero Wine (open source) does the same thing on a server written in python, but it is for Linux + WINE.

 

[Smart Error]

thnx alot bogdan for the links
Buster Sandbox is quite similar to my idea
=)

 

[BusterBSA]

Hello guys,
I would like to take your advice in doing my senior project for BS.c
I am planning to build a system for dynamic analysis which has a sandboxie for visualization

the idea is the user can sends his sample to the system online, the system receives it and execute it under sandboxie, and other tools - i will implement them - which observe the behavior of that sample.

its works as same as ThreatExpert..

the topic is open for anyone to give me his/her advice .. like which language to choose for implementing that tools, what should i take in concern ..etc

thank you for ur attention .. =)

I coded Buster Sandbox Analyzer in Delphi but C++ or C# should be fine too.

Things you should take in concern:

* You will have to write an API logger. For this task WinDDK will be required.

* You will have to work with RegHive files, which means you must be able to traverse the file reading values. Be aware that there is not much documentation available.

* You should include a sniffer to capture network traffic.

I am pretty sure Buster Sandbox Analyzer will be a source of inspiration for you.

Good luck with your project!

 

[Smart Error]

thnx bro for replying ..

im having a little bit problem .. which is,
the testing will be on one file at the time .. i am thinking how to extend it to receive many files and test them instantaneously

thank u again =)

 

[BusterBSA]

Sandboxie allows running programs in different sandboxes but it could be difficult, if not impossible, to separate certain behaviours. Example: two programs accessing internet from 2 different sandboxes.

You could try an approach like Cuckoo ( http://www.cuckoobox.org ) uses: running each analyzer thread in a different virtual machine.

I hope that helps you.

 

[Smart Error]

thnx alot for the link =)

do you think that python would be better than c# in ready defined classes for security ?

 

[BusterBSA]

I don´t have any experience neither with Python nor C# so I do not know, sorry.

 

[Smart Error]

is there any chance to use linux based OS with wine to analyze the samples ?

 

[bogdan]

It is possible but you will face the same problems that ZeroWine is facing:

Detection of the WINE environment demonstrated to be extremely easy. For example, the registry key HKLM\Software\Wine or HKCU\Software\Wine can be opened to detect it. Another example: Check the file size of any Windows critical system file. When running under WINE, the files will be ridiculously small, while in a real Windows system it will have a (always) bigger size.

Therefore some malware might detect it is running inside a Wine environment and won't exercise any malicious behavior.

 

[BusterBSA]

is there any chance to use linux based OS with wine to analyze the samples ?

Many malware analyzers run under a Linux based OS, but using VirtualBox instead Wine.

You can find a list of malware analyzers here: http://bsa.isoftware.nl/frame3.htm

I suggest you take a look at Cuckoo, Zero Wine and Minibis.

 

[Smart Error]

thnx alot all for the help =)

 

[Valentin N]

are you aware of camas and anubis?