一年一度的Google Summer of Code刚刚落下帷幕,两位中国蜜网项目组的学生郑聪和鲍由之都成功完成GSoC项目,并分别发布了开源工具APKInspector(Android恶 意代码静态分析辅助工具)与AxMock(ActiveX安全漏洞模拟插件)。
Anroid恶意代码分析是The Honeynet Project在2011-2012年度关注的热点研究方向之一,在GSoC项目中资助了两位学生进行开源工具开发,郑聪在Mentor Ryan Smith的指导下,开发静态分析工具APKInspector,另外一位学生Patrik,开发动态分析工具DroidBox。两个工具的配合使用可以 帮助安全研究人员更容易地对Andriod恶意代码进行逆向工程分析,观察并剖析Android应用程序中的恶意行为。
We build up a project in google code, you can browse AxMock by the link
http://code.google.com/p/axmock
AxMock is a detection tool for malicious webpage attacking ActiveX controls. It runs in Internet Explorer 7 and the formal version.
It is tested in Visual Studio 2008 and Python 2.6 with pywin32 package, though I believe that you can also compile it in later version.
For more using information, please check out Wiki in my project google code page.
Have fun with it. 
And it is appreciate of you to leave comments here or send email to me, which is baoyouzhipku [at] gmail [dot] com.
For the forthcoming midterm evaluation of Gsoc2011, I made a lot of progress with the code and now I’m about to publish the alpha release. Before the alpha release is released, I have decided to post a blog to inform everyone about the progress of project 6 (Static Analysis of Android Malware).
Our tool is written by PyQt, which is a great interface to Qt for Python. It is very easy to design the UI by Qt Designer. Qt contains lots of libraries to support pretty UI framework. What’s more, Qt supports cross platform applications.
Figure 1: The main Android Static Analysis UI window
本周六(6月25日)上午10点安排中国蜜网项目组2011年第四次交流活动。
地点仍在北京大学计算机所(北大东门方正大厦3层北侧)第一会议室。
计划交流内容为:
ORGANIZATION
The Chinese Chapter consists of the following people:
* Jianwei Zhuge, Tsinghua
* Chengyu Song, Gatech
* Zhijie Chen, Berkeley
* Xinhui Han, PKU
* Yong Tang, NUDT
* Huilin Zhang, PKU
* Zhongjie Wang, PKU
* Lingfeng Sun, HuaweiSymantec
* Jian Jiang, Tsinghua
* Youzhi Bao, PKU
* Cong Zheng, PKU
The Chapter members are interested in research projects covering the following topics:
1. Low-interaction/high-interaction client honeypots
2. Distributed honeynet deployment, operation and data analysis
3. Automated malware collection and analysis systems
4. Android malware analysis
DEPLOYMENTS
We have recently deployed three instances of dionaea/kippo honeypot sensors.
We requested several Honeeebox sensors, but haven’t received yet.
RESEARCH AND DEVELOPMENT
* Zhijie Chen and Cong Zheng contributed some codes to PhoneyC.
* Chengyu Song developed hv-sebek, a prototype tool for honeypot monitoring based on hardware virtualization technology. during Google Summer of Code 2010.
* Huilin Zhang developed PDFHoneyC, a prototype tool for detect malicious PDF files, during Google Summer of Code 2010.
* Zhongjie Wang developed TraceXploit, mentored by Jianwei Zhuge, but in POC state, during Google Summer of Code 2010.
* Cong Zheng is currently designing and developing an Android static analysis GUI tool during the Google Summer of Code 2011.
* Youzhi Bao is currently designing and developing COM simulation extension module for Capture-HPC during the Google Summer of Code 2011.
PAPERS AND PRESENTATIONS
* C. Song, B. Hay, J. Zhuge. Know Your Tools: Qebek – Conceal the Monitoring, Know Your Tools Whitepaper.
* Z. Chen, G. Gu, J. Zhuge, J. Nazario, X. Han, WebPatrol: Automated Collection and Replay of Web-based Malware Scenarios, In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security (ASIACCS’11) , HongKong, China, March 2011(Acceptance ratio 16%=35/217).
* J. Zhuge, An Introduction to Kippo Honeypot, Chinese Education Network, In Chinese.
GOALS
1. Distributively deploy HonEeeBox Honeypots and more dionaea/kippo/glastopf sensors on CERNET, and build the threat data center for the threat monitoring and analysis, providing support for CCERT team.
2. Continue improving the tools that we have contributed during GSoC 2011 and GSoC 2010.
MISC ACTIVITIES
We contributed to the Forensic Challenge 2010 Chinese Version, but failed to attract more Chinese to involve in.
本周六(6月4日)下午2点安排中国蜜网项目组2011年第三次交流活动。
地点仍在北京大学计算机所(北大东门方正大厦3层北侧)第一会议室。
计划交流内容为:
本周日(5月22日)下午2点安排中国蜜网项目组的交流。
地点仍在北京大学计算机所(北大东门方正大厦3层北侧)第一会议室,
计划交流内容为:
江健-Dionaea(捕蝇草)蜜罐简介与部署情况
鲍由之-Capture-HPC蜜罐扩展GSoC项目开发内容与计划
郑聪-Android恶意代码静态分析GSoC项目开发内容与计划
这次的取证分析挑战是分析一个实际的恶意代码样本,并解答所列出的问题。
截止时间为6月15日。欢迎对恶意代码分析感兴趣的朋友们参与!
—————-
Challenge 8 – Malware Reverse Engineering (provided by Angelo Dell’Aera and Guido Landi from the Sysenter Honeynet Project Chapter)
Please submit your solution using the submission template below by June 15th 2011 at http://www.honeynet.org/challenge2010.
Results will be announced around the third week of July. For any questions and inquiries, please contact forensicchallenge2010@honeynet.org.
Skill Level: Difficult
The challenge is about reversing a malware sample and deciphering and analyzing its configuration. Please consider this is a real sample captured in the wild so you must be extremely careful in analyzing it.
Questions:
1. Provide the common name for the malware family and version (1 point)
2. Describe the mechanism used by the sample in order to be able to restart itself at the next reboot (2 points)
3. Describe how the malware injects itself in the running system. How many threads does it spawns and which is their role? (8 points)
4. Describe the API hooking mechanism used by the sample (3 points)
5. What is the purpose of the HttpSendRequest hook? Detail how it works (6 points)
6. What is the purpose of the NtQueryDirectoryFile hook? Detail how it works (3 points)
7. What is the purpose of the NtVdmControl hook? Detail how it works (4 points)
8. What is the purpose of the InternetReadFile hook? Detail how it works (4 points)
9. What is the purpose of the InternetWriteFile hook? Detail how it works (4 points)
10. Describe the mechanism used by the sample in order to load the external plugins (3 points)
11. Extract the decrypted configuration file used by this sample (6 points)
11a. Analyze the plugin ddos.dll and detail its inner working (3 points)
11b. Analyze the plugin customconnector.dll and detail its inner working (6 points)
11c. Analyze the plugin ccgrabber.dll and detail its inner working (6 points)
Bonus question
12. Write a code which allows automating the decryption of the configuration file
Download:
Malware sample (password: infected)
Configuration
| Attachment | Size |
|---|---|
| [your email]_Forensic Challenge 2010 – Challenge 8 – Submission Template.doc | 64 KB |
| [your email]_Forensic Challenge 2010 – Challenge 8 – Submission Template.odt | 19.75 KB |
During the deployment and operation of distributed Honeynet projects such as the Honeynet Project’s GDH effort, we have collected a large amount of network traces that carry the server-side exploits, among which there may be valuable exploits targeting 0day vulnerabilities.
If we have a mature tool that can provide the replay functionality to reconstruct an exploit scenario using just the collected trace and the targeted service, (with the adaptability of different hostname, ip, port-number, session cookie, version) without the original exploit code (that we generally cannot collect in our honeynet), we can still expose the exploit and perform vulnerability analysis, demonstrating the value of honeynets and perform additional forensics, etc.
Although this idea has been studied in some academic research efforts, such as Protocol-Independent Adaptive Replay of Application Dialog[NDSS'06], and Replayer: Automatic Protocol Replay by Binary Analysis[CCS'06], we are not aware of any open source or free tools which provide such functionalities. Furthermore, we can have more advanced expectations on packaging the exploit dialogs based on the collected exploit trace, just like the best well-known Metasploit, for example, using different shellcode payload, targeting different platforms and versions, and other features that you can propose.
architecture
