Midterm Report: Project.6 Static Analysis of Android Malware

08 Jul 2011 Cong Zheng gsoc

For the forthcoming midterm evaluation of Gsoc2011, I made a lot of progress with the code and now I’m about to publish the alpha release. Before the alpha release is released, I have decided to post a blog to inform everyone about the progress of project 6 (Static Analysis of Android Malware).

Our tool is written by PyQt, which is a great interface to Qt for Python. It is very easy to design the UI by Qt Designer. Qt contains lots of libraries to support pretty UI framework. What’s more, Qt supports cross platform applications.

Midterm Report: The sniffer and emulator for COM components

08 Jul 2011 Youzhi Bao capture-hpc gsoc

By now, what I have done for Capture-HPC is:

    1. Write a Mock Capture Server.

This is to help dubugging and coding the Capture client. According to the message format defined in ealier Capture, the mock server will send an command to client firstly and then keep listening to client’s log.

After the server’s working, we can start the Capture Client. The command is same as the earlier beta, although I updated the client code, which changes the way that invoke an IE process.

Summary on Webviz Project

05 Jul 2011 Oguz Yarimtepe

The review period is coming and i decided to write an entry to inform about the Webviz project. Till now the first output of the project is a proof of concept work[1] (requires WebGL supported browser, tested on Firefox 5 and Firefox 4, on other browsers i don’t guarantee it works fine).

The figure displays the visualized data. The elevations corresponds to the geograpical malware numbers. The more malware detected the higher peeks are represented with changing color.

Forensic Challenge 8 - "Malware Reverse Engineering" - Deadline Extended Again

01 Jul 2011 Angelo Dellaera challenge forensic-challenge

We are realizing that the Forensic Challenge 8 - “Malware Reverse Engineering” - is really difficult to solve because right now we received just 5 submissions. For this reason we decided to extend the submission deadline again to July 31th.

Those who already submitted a solution before June 30th are granted the possibility to submit again thus taking advantage of this one-month extra time. Moreover a few extra bonus points will be assigned to them.

DroidBox: testing with Geinimi sample

22 Jun 2011 Patrik Lantz android droidbox dynamic-analysis gsoc sandbox

One of the very first Android malwares, Geinimi has been analyzed in the application sandbox DroidBox that is currently being developed. The project is part of GSoC 2011 in collaboration with Honeynet and as a master thesis. The Geinimi application uses DES encryption, and it’s possible to uncrypt statically the content, see picture below.

But it’s very easy to do that because the key is not well hidden, so an approach by using dynamic analysis will be more interesting with complex samples. This first real-world sample analysis was carried out to specifically test the crypto API logging.

Lion and iOS 5

07 Jun 2011 Chengyu Song security

Today Apple unveiled the next generation of OS X, Lion and new iOS 5. Among the features, I’m concerned about two features: AriDrop and iCloud.

My worry for AriDrop comes from its automatic discover ability. While services like Bonjour also has automatic discover ability, they are passive. On the contrary, AriDrop is active, allows user to send (drop) a file to another user. Sounds pretty convenient. But this just reminds the old Bluetooth worms. Although saving a file requires user’s permission, the worm continually pings the victim for ‘dropping’ the file, and most users will then get annoyed and permit the saving. So without further restriction, I would say AirDrop opens a new door for worms. Cheers!

Mapping geographic data

15 May 2011 Oguz Yarimtepe django geodjango python

Visualization is a niche area especially at the security analysis. As mentioned in a well-known sentence; “A picture is worth a thousand words”. The importance and the power of the visualization in the security area stands out with the ability to define multi-dimensional data with a single shape. When addressing the creating a mesh tiled 3D view on an Earth map, i was reading about the geoweb application development. A geoweb application consists of some components.

Dionaea Installation

09 May 2011 Oguz Yarimtepe debian dionaea log-record

This summer, I will be dealing with the malware analysis distribution from a visualization perspective at a timeline and geographic basis. To collect data related with malwares, I installed the Dionaea, which is a successor of Nepenthes. The documentation of the Dionaea is plain and easy to follow. I chosed Debian Squeeze to install the honeypot on it. Installing the base system from netinstall CD and following the documentation was enough till i got an error message during the compiling process of Dionaea. “common” from the irc channel of Nepenthess was helpful about the solution of the problem. The problem was defined at http://sourceforge.net/mailarchive/message.php?msg_id=27441025. It was because of the wrong Cython version usage with a makefile error.