A new and improved version of Rumal

05 Sep 2016 Roberto Tanara gsoc gsoc2016 rumal thug
Thug is a client honeypot that emulates a real web browser, fetches and executes any internal or external JavaScript, follows all redirects, downloadable files just like any browser would do, and collects the results in a mongodb collection. The purpose of this tool is to study, analyse and locate exploit kits and malicious websites. Thug’s analysis can be difficult to navigate or understand and this is where Rumal comes in. Rumal’s function is to be Thug’s GUI, providing users with trees, graphs, maps, tables and intuitive representations of Thug’s data.

Rumal, a web GUI for Thug

22 Feb 2016 Pietro Delsante gsoc rumal thug
As you may know, Thug is a handy tool for studying exploit kits, as it emulates a real browser complete of a set of plugins like Adobe Reader, Flash and Java. When you feed Thug with the URL of a suspicious web page, it “crawls” it and starts fetching and executing any internal or external JavaScript, following redirects and downloading files just like a browser would do. When Thug encounters some files it cannot analyze by itself (like Flash, Java and PDF), it passes them to external tools.

Thug and the art of web client tracking inspection

27 Jan 2015 Angelo Dellaera honeyclient thug
A few months ago I read the paper “Technical analysis of client identification mechanisms” [1]. The paper is really interesting and it is really worth investing your time and reading. Just a brief excerpt from the abstract: “In common use, the term “web tracking” refers to the process of calculating or assigning unique and reasonably stable identifiers to each browser that visits a website. In most cases, this is done for the purpose of correlating future visits from the same person or machine with historical data.

Thug 0.6 released!

05 Jan 2015 Angelo Dellaera honeyclient thug
Thug 0.6 was released just a few hours ago. The most important change introduced during the 0.5 branch was a complete redesign of the logging infrastructure which is now completely modular. This makes adding (or removing) new logging modules extremely easy. I did this change for a couple of reasons. The first one is that the logging code before Thug 0.5 was developed without a proper design but just adding the modules as soon as I needed them.

Vagrant configuration for Thug honeyclient

26 Jul 2014 Ioannis Koniaris thug thug-vagrant vagrant
Vagrant and Docker and wonderful tools that enable security practitioners to easily dive into the DevOps world and use them for InfoSec projects. Continuing from the previous blog post Thug in 5 minutes, here is a Vagrant configuration to setup Thug honeyclient. It’s essentially a simple shell script to automate the installation of Thug, which is applied to a virtual machine (created with VirtualBox) upon launch. To use it, first install VirtualBox and Vagrant itself for your OS version.

Thug 0.5 and KYT paper

10 Jul 2014 Angelo Dellaera honeyclient kye kyt thug
Thug 0.4.0 was released on June, 8th 2012 and a huge number of really important features were added since then. During the last two years I had a lot of fun thinking and designing the future of the project and I’m really proud of what Thug is now. I have to thank a lot of persons who contributed with their suggestions, ideas, bug reports and sometimes patches. You know who you are.

Thug in 5 minutes

17 Jun 2014 Ali Ikinci docker thug
Ever wanted to run up a quick instance of Thug on a couple of malicious web sites or try it out but lacked the sys op knowledge or time to install it? Here is the opportunity. Thanks to Docker you can run Thug up in a matter of minutes. Jose Nazario and me have created two docker images which are in the Docker Hub ready to run. So this is how to do it:

Is Android malware served in theatres more sophisticated?

09 Jan 2014 Felix Leder android apk decompilation malware reverse-engineering sandbox-evasion thug
Pietro wrote a nice post about him finding Android malware while visiting the theatre. Thanks to Thug (thank you Angelo) and HoneyProxy, he was able to get some interesting details about their infrastructure. I was curious what kind of malware you find in a theatre, so I quickly looked at one of the samples that he mentioned: f6ad9ced69913916038f5bb94433848d. Virus Total already provides some nice information for Android. The SEND_SMS permissions already gives a solid hint that this application is probably sending to premium numbers.

Malware-serving theaters for your android phones - Part 1

07 Jan 2014 Pietro Delsante android apk exploit malware thug
Some nights ago I was heading to a local theater with some (non-nerd) friends. We did not recall very well the address, so I brought out my phone (LG Nexus 4 with Android 4.4.2 and Google Chrome) and googled for it. I found the theater’s official site and started looking for the contact info, when Chrome suddenly opened a popup window pointing me to a Russian web site (novostivkontakte.ru) urging me to update my Flash Player.

Thug: 1000 commits, 1000 thanks

10 Jun 2013 Angelo Dellaera honeyclient thug
Two years are passed from the first commit and taking a look at the number of committed patches I realized that right now the patch number 1000 was committed. Let me say it’s really impressive realizing it. In the last two years I had a lot of fun thinking and designing the future of this project and I’m really proud of what Thug turned to be. I have to thank a lot of persons who contributed with their suggestions, ideas, bug reports and sometimes patches.