The project is now officially named "Scanner." It was inspired by my desire to create a lab for analyzing malwares. It is now expanding to do bigger things. It is currently written in Python. Feel free to hop in and contribute.
The current iteration is 2.x, as seen here. I attempt to solve a couple of key problems and this project enabled me to work on an issue I've always wanted to tackle. I describe more of these below.
Surufel was meant to be a quasi-startup and under Surufel, I intended multiple products. I went from multiple ideas growing into one powerful idea. Surufel Scanner or just Scanner is a serious product that I intend to develop for a while.
Typically, users use an AV like this:
I am hoping to create a smart AV that will look something to this effect:
The installation guide is in the Quick Start section of the README document. The main focus here is malware analysis in general.
Three events usually initiate the game. Your computer is acting strange. Your antivirus picked something up. Your boss tells you something happened. If it's the first two, hopefully you have backups and it isn't something too bad. If it's your company, you will want to answer some business questions. Questions like:
You're going to want to have some answers for that. You definitely want to find out how you were hit in the first place.
While Linux and macOS machines can still get infected, the vast majority of targets are Windows machines in the US. In other countries, especially in the east like China and Japan, there is an attempt to move away from Microsoft and create your own flavor. The reasons for this is obvious; for example, they fear the west may be spying on them.
From the early days to today, Microsoft always had a majority of market share for OS. So, as a result, malware designers write for Windows because it's easier. This coupled with the fact that today, attacks are more targeted and more political, this meant more reasons to target Windows machines. Gone are the days when people wrote malware for knowledge and hack for the sake of hacking.
On a small footnote though, Linux and macOS currently rely on security by obscurity. In some case, a default Windows install is more secure than a poorly configured Linux and macOS box.
Anyway, the good news is that despite the growing threat, the "good guys" are winning. Actual infections are rare for most people and even organizations. The bad news is that when it goes down, it goes down hard.
You need to setup a lab. Setting up a lab is more of an art than science. If you look up "how to setup your own lab," you will find multiple different setups for the same endgoal. This is just my preference. How did I setup mine? Preference and by feeling my way through on a spare throwaway computer. I'm just documenting mine as well for posterity.
update-remnux sudo apt-get update sudo apt-get upgrade sudo apt-get install virtualbox-guest-utils virtualbox-guest-x11 virtualbox-guest-dkms
sudo adduser remnux vboxsf
My typical workflow process looks like this: determine the environment and triage -> static analysis -> dynamic analysis -> report
However you setup your lab, just make sure you've done as much isolation as possible. The nice thing about Python is how easy it is to help incorporate Surufel with Remnux. So, in addition to running a scan on the suspected file, consider the following triaging techniques:
I'm going to assume that you found the suspected file via an antivirus scan. This is always a good way to start off the investigation. I'm going to use "Bombermania.exe" to do a little demo.
How you do filetype checking is preferential. Some might be redundant. I will start off with something like this:
On a Linux box, this should yield:
Bombermania.exe: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
If you use
import magic in Python, you should get the same result. Heads up though, I've been hitting inconsistencies when it comes to setting it up so your mileage may vary. (The way I have gone about doing this is
pip install --user python-magic but I'm reading at least 2 different methods, one using
brew install libmagic.)
VirusTotal is nice. When you upload the file to VirusTotal, it will produce a dataset you can use to investigate the nature of this malware. Here is what it produced at the time of this writing (2017):
It'll even tell you when it was first submitted and other tidbits of information. Apparently this one was created in 2005 and first submitted in 2009.
If you can find the malware in the public from just the information gleaned above, then your life just got a little easier. If this is something that's new, then a public database isn't going to help much.
There are a lot of research in this area and they are promising. For example, one research in Windows executable suggests that you can figure out which file is good and which file is not based on the PE header alone. This researcher does so by using three methods; one of them by using PE-Header-Parser. Surprisingly, one of the method is using Icon-Extractor.
Anyway, we will want to use a tool that deals with the PE.
All report on malware should at least have as much of the following information as possible:
But ultimately, this depends on what your organization requires. Take a look at these reports of the malware Regin. Symantec took a very different approach than F-Secure yet both are excellent reports.
The endgoal is usually to figure out what the malware is doing and how to get rid of it.
I'll write about it when I can get some time and my hands on a Windows license and an IDA Pro."Is this project finished?"
The short answer is no. For all intents and purposes, this project is considered finished if you only consider the intended features that I wanted to implement. But I don't believe in "finished" when it comes to software.
I have the same philosophy as Shlomi Fish in this respect. There are very few things in life that would meet the philosophical meaning of "finished.""What was the point?"
It was supposed to achieve 3 objectives. Sharpen my skills. Solve an actual real world problem. Showcase my skills.
That's why I kept the use of framework minimum. I use what I like or need.
The decision to use Python was because of Capers Jones and inspiration from Metasploit which was also written in a high level language, Ruby."Technologies used?"
This is not a web application but it is in consideration. I just need to find a cheap host. You'll need to download it to try it out. There is an online version now! It's also not a complete solution. No software is.
There are lots of amazing resources out there. I have utilized these resources in my journey and definitely recommend that you check them out if you want to keep exploring.