During Google Summer of Code 2015, in the Honeynet Project open-source org, Valerio Costamagna and Cong Zheng (mentor) worked on ARTDroid, an easy-to-use framework for hooking virtual-method under latest Android runtime (ART).
We propose ARTDroid, a framework which allows to analyze Android apps without modifications to both Android framework and apps. The core technology is the library injection and virtual methods hooking by vtable tampering after getting the root privilege.
Pietro wrote a nice post about him finding Android malware while visiting the theatre. Thanks to Thug (thank you Angelo) and HoneyProxy, he was able to get some interesting details about their infrastructure. I was curious what kind of malware you find in a theatre, so I quickly looked at one of the samples that he mentioned: f6ad9ced69913916038f5bb94433848d.
Virus Total already provides some nice information for Android.
The SEND_SMS permissions already gives a solid hint that this application is probably sending to premium numbers.
Some nights ago I was heading to a local theater with some (non-nerd) friends. We did not recall very well the address, so I brought out my phone (LG Nexus 4 with Android 4.4.2 and Google Chrome) and googled for it. I found the theater’s official site and started looking for the contact info, when Chrome suddenly opened a popup window pointing me to a Russian web site (novostivkontakte.ru) urging me to update my Flash Player.
I’ve the pleasure to *finally* unveil the second version of Dorothy: a malware/botnet analysis framework written in Ruby.
Dorothy2 is a framework created for mass malware analysis. Currently, it is mainly based on analyzing the network behavior of a virtual machine where a suspicious executable was executed. However, static binary analysis and system behavior analysis will be shortly introduced in further versions.
Dorothy is a multi-thread framework: it is able to execute as many concurrent analysis processes as the number of the VMs present in vSphere.
Another Monday has been and gone (on this side of the world at least). I thought I’d sit down again and share some of the interestingness (yes, that’s a word now) that came through my various news feeds over the course of the weekend. I’m hoping this week will be a little less malware focused, but I can’t make any promises.
news.source == “twitter”
@mboman: New blog post: MART - Malware Analyst Research Toolkit: Cuckoo Sandbox:
Good evening/morning folks.
It’s been fairly busy here at HNP HQ for a number of reasons. That said, there were a number of interesting articles over the weekend I thought I’d hilight here for your reading pleasure. This week seems to be a week of malware so we will stick with that theme.
STORIES ABOUT BOTNETS - PART 1
Malware Hunting with the Sysinternals Tools (video)
Obfuscation #2: Playing entrypoint hide & seek game with dyld
Although it is still time for the official coding period start at GSoC 2012, i started to make my commits for the Network Analyzer project . The output of the project will be a web based traffic analyzer. It is aimed to let people upload their files from web interface and see the results. Instead of the detail header information, network analyzer will be focusing on applicaiton level data for display.
The GUI tool for static analysis of Android malware is ready for an alpha release. For more details regarding this project, check here.
In the alpha release, the following features have been finished.
(1) Show the CFG (control flow graph) for a given method
(2) Show the smali codes for a given method.
(3) Show the Java codes for a given java file.
(4) Show the betecodes for a given method.
Here is another tool release from The Honeynet Project: Cuckoo Box by Claudio Guarnieri. Cuckoo is a binary analysis sandbox, designed and developed with the general purpose of automating the analysis of malware. Read more about the tool here, grab the tool here – but please read detailed setup guide here (make sure to read it!). BTW, this tool is really well-documented, so make use of it before deploying it.
Basically, The TWMAN is an automated behavioral malware analysis environment to analyze the malware targeted at Microsoft Windows, and it can develop a free and open source software, and the environment is built around Joe Stewart’s TRUMAN sandnet. Although, there are many services of analysis malware behavioral, such as the Norman Sandbox, CWSandbox, Threat Expert, etc. For privacy and policy reasons, it must be treated as if they contain personally identifiable information.