A pilot comparative analysis of the Cuckoo and Drakvuf sandboxes:  an end-user perspective

Slaviša Ž. Ilić; Milan J. Gnjatović; Brankica M. Popović; Nemanja D. Maček

doi:10.5937/vojtehg70-36196

Slaviša Ž. Ilić Ministarstvo odbrane Republike Srbije, Beograd, Republika Srbija https://orcid.org/0000-0003-3314-5794
Milan J. Gnjatović Kriminalističko-policijski univerzitet, Beograd, Republika Srbija https://orcid.org/0000-0002-0343-7596
Brankica M. Popović Kriminalističko-policijski univerzitet, Beograd, Republika Srbija https://orcid.org/0000-0002-8276-1481
Nemanja D. Maček Visoka škola elektrotehnike i računarstva strukovnih studija, Akademija tehničko-umetničkih strukovnih studija, Beograd, Republika Srbija https://orcid.org/0000-0002-3465-7524

DOI: https://doi.org/10.5937/vojtehg70-36196

Ključne reči: izolovano izvršavanje programa, Cuckoo, Drakvuf, dinamička analiza zlonamernih programa

Sažetak

Uvod/cilj: U radu se prikazuje uporedna pilot-analiza softverskih okruženja Kuku i Drakvuf za izolovano izvršavanje programa. Ovi sistemi odabrani su za predmet analize zbog svoje popularnosti u profesionalnoj zajednici i komplementarnih pristupa analizi ponašanja zlonamernih programa.

Metode: Oba sistema postavljena su na osnovna podešavanja i izložena istom skupu zlonamernih programa. Analiza je primarno urađena s aspekta procene stepena informativnosti dobijenih izveštaja o izvršavanju zlonamernih programa za ljudskog analitičara. Stoga su, kao predmet analize, uzete u obzir samo informacije dostupne u veb-interfejsima posmatranih sistema.

Rezultati: Može se očekivati da će Drakvuf ostvariti bolji učinak kada se izloži zlonamernim programima koji primenjuju tehnike izbegavanja izvršavanja u virtualnim okruženjima. Iako ovo okruženje još uvek nije ostvarilo pun kapacitet u smislu integrisanja, prilagođavanja i dostupnih softverskih alata, može se smatrati predstavnikom druge generacije sistema za izolovano izvršavanje programa, zbog svog dizajna koji isključuje primenu softverskog agenta. S druge strane, okruženje Kuku stvara bolje sveukupno korisničko iskustvo: podržano je dobrom dokumentacijom i jakom profesionalnom zajednicom, bolje je integrisano sa različitim softverskim alatima, podržava više tipova virtuelizacije, operativnih sistema i tipova uzoraka i generiše informativnije izveštaje. Iako poseduje manji kapacitet za otkrivanje zlonamernih programa koji primenjuju tehnike izbegavanja izvršavanja u virtualnim okruženjima, mogućnost primene skripti s definicijama zlonamernog ponašanja programa čini ovo okruženje efektivnijim.

Zaključak: Da bi se postigla optimalna zaštita, zasnovana na okruženjima otvorenog koda za izolovano izvršavanje programa, preporučuje se primena oba razmatrana sistema. U uslovima ograničenih resursa, primena sistema Kuku poželjnija je, posebno ako se ne očekuje često izlaganje zlonamernim programima koji primenjuju tehnike izbegavanja izvršavanja u virtualnim okruženjima.

Reference

Arntz, P. 2020. Sandbox in security: what is it, and how it relates to malware. Malwarebytes LABS blog, 24 September [online]. Available at: https://blog.malwarebytes.com/awareness/2020/09/sandbox-in-security [Accessed: 30 January 2022].

Ashby, C. 2015. Extending Cuckoo Framework. PenTest magazine, 12 March [online]. Available at: https://pentestmag.com/cuckoo. [Accessed: 30 January 2022].

-CERT Polska. 2019. Strengthening our malware analysis capabilities. Official web site of CERT Polska (part of NASK), 21 February [online]. Available at: https://cert.pl/en/posts/2019/02/strengthening-our-malware-analysis-capabilities/ [Accessed: 30 January 2022].

-CERT Polska. 2021. DRAKVUF Sandbox (v0.18.1). Official repository of the DRAKVUF Sandbox project, 28 October [online]. Available at: https://github.com/CERT-Polska/drakvuf-sandbox/releases/tag/v0.18.1 [Accessed: 30 January 2022].

-CERT Polska. 2022. DRAKVUF Sandbox Documentation. DRAKVUF Sandbox documentation at Read the docs, 10 February [online]. Available at: https://drakvuf-sandbox.readthedocs.io/_/downloads/en/latest/pdf. [Accessed: 10 February 2022].

Chakkaravarthy, S.S., Sangeetha, D. & Vaidehi, V. 2019. A Survey on malware analysis and mitigation techniques. Computer Science Review, 32, pp.1-23. Available at: https://doi.org/10.1016/j.cosrev.2019.01.002

-Checkpoint Software Technologies LTD. 2015. CuckooDroid Book, Revision 13502746. CuckooDroid at Read the docs [online]. Available at: https://cuckoo-droid.readthedocs.io/en/latest [Accessed: 10 February 2022].

-Checkpoint Software Technologies LTD. 2019. Cuckoo SandBox on AWS. Checkpoint research, 11 March [online]. Available at: https://research.checkpoint.com/2019/cuckoo-system-on-aws/ [Accessed: 10 February 2022].

-Estonian Information System Authority (RIA). 2017. Annual Cyber Security Assessment 2017. Estonian Information System Authority (RIA) official website [online]. Available at: https://www.ria.ee/sites/default/files/content-editors/kuberturve/ria_csa_2017.pdf [Accessed: 30 January 2022].

Ferrand, O. 2015. How to detect the Cuckoo Sandbox and to Strengthen it? Journal of Computer Virology and Hacking Techniques, 11, pp.51-58. Available at: https://doi.org/10.1007/s11416-014-0224-9

-Hatching International B.V., 2022. We know cuckoo. Official web site of the Cuckoo developers [online]. Available at: https://hatching.io/cuckoo [Accessed: 30 January 2022].

-IBM Corporation. 2020. IBM Security, report: IBM Cost of a Data Breach Report. IBM official web site. July [online]. Available after registration at: https://www.ibm.com/security/digital-assets/cost-data-breach-report [Accessed: 30 January 2022].

Ilić, S. 2012. CLOUD COMPUTING - Information assurance aspects in government use. In: Proceedings of XVIII conference YU INFO, Kopaonk, Serbia, March 01-03.

Laing, B. 2017. First-generation sandbox solutions do not beat evasive malware. IDG Connect. 8 February [online]. Available at: https://www.idgconnect.com/article/3581202/first-generation-sandbox-solutions-do-not-beat-evasive-malware.html [Accessed: 10 February 2022].

Lengyel, T.K., Maresca, s., Payne, B.D., Webster, G.D., Vogl, S. & Kiayias, A. 2014. Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system. In: ACSAC '14: Proceedings of the 30th Annual Computer Security Applications Conference, New York, NY, USA, pp.386-395, December. Available at: https://doi.org/10.1145/2664243.2664252

Melvin, A.A.R. & Kathrine, G.J.W. 2020. Quest for Best: A Detailed Comparison between Drakvuf - VMI-Based and Cuckoo Sandbox-Based Technique for Dynamic Malware Analysis. In: Peter, J., Fernandes, S. & Alavi, A. (Eds.) Intelligence in Big Data Technologies - Beyond the Hype. Advances in Intelligent Systems and Computing, 1167. Springer, Singapore. Available at: https://doi.org/10.1007/978-981-15-5285-4_27

Mills, A. & Legg, P. 2021. Investigating Anti-Evasion Malware Triggers Using Automated Sandbox Reconfiguration Techniques. Journal of Cybersecurity and Privacy, 1, pp.19-39. Available at: https://doi.org/10.20944/preprints202010.0305.v1

Richards, K. 2021. VMRay – The Hypervisor-Based Sandbox That Cannot be Detected (interview with Carsten Willems). VpnMentor [online]. Available at: https://www.vpnmentor.com/blog/vmray-hypervisor-based-sandbox-not-detected. [Accessed: 30 January 2022].

Sick, T. 2014. Cuckoo Sandbox vs. Reality. Avira official web site, 11 November [online]. Available at: https://www.avira.com/en/blog/cuckoo-sandbox-vs-reality-2 [Accessed: 10 February 2022].

Sood, G. 2021. Virustotal: R Client for the virustotal API. R package version 0.2.2. Virus total web portal [online]. Available at: https://www.virustotal.com [Accessed: 10 February 2022].

-Spiceworks. 2019. The 2020 State of Virtualization Technology, Survey on 539 organizations and companies in Europe and USA. Spiceworks [online]. Available at: https://www.spiceworks.com/marketing/reports/state-of-virtualization [Accessed: 30 January 2022].

Tot, I.A., Bajčetić, J.B., Jovanović, B.Ž., Trikoš, M.B., Bogićević, D.Lj. & Gajić, T.M. Biometric standards and methods. Vojnotehnički glasnik/Military Technical Courier, 69(4), pp.963-977. Available at: https://doi.org/10.5937/vojtehg69-32296

Uporedna pilot-analiza softverskih okruženja Kuku i Drakvuf za izolovano izvršavanje programa: perspektiva krajnjeg korisnika

Sažetak

Reference

Vojnotehnički glasnik omogućava otvoreni pristup i, u skladu sa preporukom CEON-a, primenjuje Creative Commons odredbe o autorskim pravima:

Autori koji objavljuju u Vojnotehničkom glasniku pristaju na sledeće uslove: