What is "Cuckoo"? What is its purpose?
Cuckoo is a dedicated, isolated system that serves as a platform for automatic analysis and examination of software, with an emphasis on malware.
This analysis can be both dynamic and static. To that end, there is a need for an independent and isolated system in a "sandbox" environment.
Thus, unlimited analysis of software suspected as malware (which entails running it) is enabled, since if damage is caused it will be caused only to a system isolated from its hosting system.
The uniqueness of Cuckoo is the automation of the system, which arrives as a complete, automatic package, with all tools already installed in it, and which performs the analysis in a convenient and user-friendly manner.
Architecture.
- When the system is properly installed and configured, virtualization software must be installed on it in order to be able to host virtual machines.
- The hosted virtual machines are the ones whose systems will be injected with the malware, and the ones the the analysis will actually be performed on.
- In addition to running the virtualization software on Cuckoo and installing guests that will serve as the examination targets on top of it, we add ANOTHER isolation layer to protect our important systems from malware.
- We are not satisfied with the virtualization alone. Firstly, we isolate "Cuckoo" from the host computer and other hosts by means of a sandbox environment, which can take many forms. These include a docker container, a python virtual environment or an actual virtual machine hosted on a hypervisor. Then we add the second layer for the target machines by adding a hypervisor within the inital isolation!
Ultimately, "Cuckoo" is installed in a sandbox environment in the operating system, and inside of said sandbox, a virtualization system is installed, on which virtual machines are hosted.
we actually get a system with two isolation layers - (two virtual machines if the sandbox environment is a virtualization system - virtualization within virtualization, also called 'nested virtualization').
All guest systems are connected on an internal virtual network, to which the "Cuckoo" host is also connected to and functions as its GW. The interface between "Cuckoo" and the rest of the systems is protected by special ip-table definitions, that allow internet access but no access to the rest of the parts of the system.
Preparing the installation environment
Before installation, it must be ensured that the host environment is ready for the installation and operation of the "Cuckoo" system on it.
There are prerequisites: tools that must be installed and configurations that need to be defined for optimal usage and operation.
- One of the most basic requirements is the existence of Python 2.7 with all of its libraries on the system. ((Apt install python 2.7)).
- Also, it is important that Python's pip tool is installed, as well as all the following Python add-ons:
apt install python-pip python-dev libffi-dev libss1-dev - Another component that must be installed, if and when we want to simulate an attack on certain/differentoperating systems, is a system that will enable virtualization (ie. a hypervisor). The common ones are virtual box and vmware.
- Another required add-ons is tcpdump. In the image, you can see its configuration process, after installation
There are many optional add-ons that add functionality to "Cuckoo":
- Yara
- ssdeep
- votility >
- In order to use the django server interface to communicate with the system, the mongo mongodb database must be downloaded
- Distorm is yet another example of a non-mandatory add-on that adds functionality to "Cuckoo".
Sudo –H pip install distorm3
When installing "Cuckoo", there are two main options:
- Installation on an operating system that is intended only for operating "Cuckoo".
- Installation on an operating system that will be used for additional purposes, within an isolated environment.
- (It can be a virtual operating system (and then we will have a virtual operating system within a virtual operating system).)
- Or any other sandbox environment that will protect the rest of the system, for example, a container...
Venv /bin/activate .
Sudo –H pip install –U pip setuptools
Sudo –H pip install –U cuckooIn the first run of Cuckoo ("cuckoo –d") additional important libraries will be built. (Part of the installation process).
Important configurations
All configuration files of the Cuckoo system are located on the installation path (by default it will be ~/.cuckoo), in a folder named conf (full path is /root/.cuckoo/conf)