Following up with last week’s desktop sandboxing challenge Darren’s taking a look at another kind of sandbox — one for malware analysis. Shannon thinks your VNC and SSH servers are pretty spiffy, but how about controlling your computer over twitter? Free text messaging to your PC anyone?

Download HD Download MP4 Download XviD Download WMV

Malware Analysis Sandbox

CWSandbox is an automated malware analysis sandbox. It works by running suspected malware samples in a simulated Windows OS. So as opposed to trying to break into the malware code to see what it does, we simply run it in a live environment. That way we can monitor all the network traffic that the malware generates. All of the processes that are created, the DLLs that are loaded, any changes to the Windows registry and even what it’s doing to the file system.

This is achieved by using a technique called API hooking. That basically means that when the malware calls the Windows application programmers’ interface to say something like “connect to this IP address” or “modify this file” it’s actually going to CWSandbox’s monitoring software, which logs the action and goes ahead and makes the change.

It’s kind of like an operating system man-in-the-middle. For malware.
So once a suspected malware sample is run through the tool you get a computer generated report of what the executable is actually doing. And this can be fed into anti-virus and intrusion detection systems to monitor for similar behavior.

PC Remote Control over Twitter

While there is no denying the power of running your own SSH, VNC server at home for remote access, wouldn’t it be nice if you could simply text message your computer something simple like “Hey, what’s your external IP address” or “Send me a screenshot” or “Go download this file”

And if Robin Wood has taught us anything with KreiosC2 – commanding your computer, or even a large botnet for that matter, over social networks is quite possible.

But now it’s time for something a lot more user friendly. This week Snubs investigates TweetMyPC

Leave a Reply

Your email address will not be published. Required fields are marked *

*

32 Comments

  • Nox365 4 years ago

    Hi guys, I love your show,

    However I was disappointed to see that you promoted the program TweetMyPC which is, in my opinion, a terrible piece of software. TweetMyPC uses Twitter’s API which limits the number of times it can check for updates to every 30 seconds.

    Alternatively, it would be very easy to write up your own .NET script that would not be limited by such a restriction. So I did it for you below (in C#). The idea is that instead of asking the API for the update, it gets the update on its own by parsing it out of the HTML source code. This can increase the number of times you can check for updates to as many as 6X-a-minuite. (Granted, it probably is a little more CPU intensive, but I think that the pros outweigh the cons)

    This example is only meant to give you a general idea of how such a homebrew version could work, but if you are interested it would not take much effort to reproduce all of the functionality of TweetMyPC (and maybe include some other, more nefarious, functions as well).

    Feel free to email me:
    nox365@gmail.com

    Example(might be a bit glitchy): http://pastebin.com/EtzTEKuW

    -or download the exe: http://www.mediafire.com/?m1amjgtl3on

    • Nox365 4 years ago

      Scroll down if you want to see the update.
      (This whole time, I never noticed the reply button.)

    • Hi Nox365!

      If you would have taken a look deeper into the sourcecode of twitter you would have seen how efficiently it works.

      And there is really no difference in how often you can use the twitter api compared to checking out the page content which requires a complete reload every time because Twitter limits both the same way to a maximum of 150 requests per hour (http://apiwiki.twitter.com/Rate-limiting). Sure, if you try it yourselfe, you can just reload the page as fast as you want, but after doing this 150 times, you will see that by as you said 6 times a minute you will be blocked for the rest of the hour after reloading so often for 25 minutes! (150/6=25)

      Now tell me: How do you want to control your computer with your program if your twitter account is blocked?

      You didn’t really listen to what your math-teacher in school told you, did you?

  • Slasher 4 years ago

    Pretty good episode, there are more online “sandboxes” like CWSandbox.

    ThreatExpert – http://threatexpert.com/
    Anubis – http://anubis.iseclab.org/

    etc..

    And btw, whats up with that Gamefly ad ;)

    – Slasher

  • I really like the way this episode was shot and edited. My favorite part was the GoToMyPC ad/tip. What’s up with the audio on that gamefly spot, though? Snubs still needs a better mic, but it’s nice to see Kerby again. :)

  • Mnemonic 4 years ago

    Snubs looked pretty tired..hope shes ok.
    Interesting episode though.

  • charles 4 years ago

    Tweetmypc is pretty cool. I made a sniffer dump ;) what!? .bat throwing it out to a .txt file. Tweet the command and bam a little network ultility on the go. Thanks again guys very useful here at work.

  • Great episode as always! Sorry to hear about your job Darren, but I am excited to see you try to do Hak5 full time! I also wanted to say thanks for the Windows 7 login tip Snubs mentioned in the GoToAssist spot.

  • soupman 4 years ago

    Shame about being laid of Darren, mad respect for keeping the show alive and doing it full time. Segment about CWsandbox was awesome, gunna try that out :) And snubs, very impressed, you actually found a legitimate use for twitter ;)

    Keep up the good work guys, peace :)

  • Very useful information about CWSandbox, like a lot of people I’ve dabbled with Virtualbox and Wireshark for checking out Malware but that service makes it easier and safer.

    For those of us who haven’t been watching the show that long, the other service Darren mentioned was http://www.virustotal.com/

    A while back I heard a rumour that some malware could break out of a VM and infect the host OS, has that ever actually happened in the wild to anyone’s knowledge?

  • Bucko, I’ve seen some proof of concepts but nothing more. Some more research is obviously in order.

  • Slasher 4 years ago

    Care to post them Darren?

  • Hey guys awesome show! Keep up the good work!

    I imagine this must be old allready but i figure i should point it out anyway –> http://www.skullsecurity.org/wiki/index.php/Passwords If you browse this page you will see a .txt file with Hak5 passwords…

    Shout out from Brazil!!!

  • xenomorph150 4 years ago

    O.o does anyone know which band / song is used during darens sandbox explanation? does sound damn cool o.O….

  • b0bb3r5 4 years ago

    hey guys ive been checking out the twitter application great find
    thanks to you i found the mac version of this

    http://themacbox.co.uk/tweetmymac/

    you should check it out!

  • Yo what was that song in the middle when hes riding on the bike. The guys says “every day is a Saturday”.

  • soupman 4 years ago

    @xenomorph150 & Mark

    I’m guessing something by pronobozo, does most hak5 theme music. Youtube failed me so I dunno though ¯\(°_o)/¯

  • xenomorph150 4 years ago

    @soupman
    i did check his stuff and the stuff from the “codergirl” writter… but i got nothing from this… ^^’.
    so… any other idea? XD

  • The song is “every day is a saturday” by Pronobozo. It’s off the new album which is releasing in the next few weeks. Keep an eye on http://www.pronobozo.com

  • xenomorph150 4 years ago

    Awesome! Thanks Darren, I will definitly check it out! ^-^

  • sloth2slow 4 years ago

    TweetMyPC seems really cool, but wouldn’t it be better, at least from a security perspective, if all PC related info was sent to gmail, instead of twitter. For instance, the ip command. Do you really want to post your ip for the world to see?

    Wouldn’t it be better if that information went to gmail instead? Or at least have a ipToEmail command?

    Also, just wanted to say that you guys are my favorite information show online. However, with the last couple of shows, I’m getting the feeling that the content is getting less in depth. I would much prefer that the content got more hard core. Everytime I launch Hak5, I’m excited, because I’m expecting to learn something.

    eh, maybe I’m just being paranoid. anyway . . . love the show.

    • While I’ll agree the last few shows haven’t been as in depth as usual, don’t count Hak5 out just yet. This season is one of a crazy transition and it’s going to take some time to find a balance that works. Stick with it. :)

      • sloth2slow 4 years ago

        I’m not going anywhere.

        Just trying to keep you on your toes. :)

  • xenomorph150 4 years ago

    @sloth2slow
    You should NEVER use your “own” Twitter Account for TweetMyPc.
    Do create an dedicated one and check the Private Settings in the Twitter Options. That way, only invited Ppl can read the Tweets you send – for example your Commands or the Responses to that. Adds an big Ammount of Security. And by the way, you should maybe even create an own Gmail Account for that Occasion and use “real” Passwords and not such “password”, “admin”, “0123456789” stuff ;-)…

    On the other hand: Excellent, I love TweetMyPc, I have some bad firewall situation and need an SSH Tunnel to my Work PC – I thought about Reverse SSH (which would be an cool idea for some next show ;-)) – but did not found an way to trigger that – as I did not wanted to have an “always online” Connection to my Gateway. But with TweetMyPC I found an easy solution. Thanks Hak5 for delivering the right Info on time ;-).

  • God, please no more SSH segments

  • sloth2slow 4 years ago

    Yeah, Snubs explained using the alternate account very well. I got that. Just forgot that you could make twitter private. Seems to go against the grain of the whole app, but it’s perfect for something like this. Thanks. :)

  • Nox365 4 years ago

    -UPDATE-

    Even though I now realize that TweetMyPC is far better than any program I can make, I am continuing my project just for fun. For those of you who did not see my last post, the idea was to get tweet updates through screen-scraping instead of through Twitter’s API.
    The reasons this would be good are:
    – The program doesn’t need your password
    – It can get updates at faster intervals
    – It is against Twitter’s terms of service…
    – …so therefore it is funner
    But there are also the bad things:
    – It takes more CPU
    – You can’t use a private account
    – It is less reliable

    Again, I will attach what I have so far. It is still in super rough shape and I am only in high-school so my coding skills are, shall we say, less than exemplary.(Basically it’s pretty sloppy.)
    However, if you are interested at all, I will include the .exe and the C# source so you can see what’s going on.
    Please comment, or email me, if you have suggestions/criticisms.
    At least let me know if I’m making a fool of myself.

    Download:http://www.mediafire.com/?tdgjw02jmmw

    (BTW: Only tested on my WIN-XP and you need .NET framework installed)

  • Where can you download cwsandbox.

  • All people deserve good life time and mortgage loans or credit loan can make it better. Because people’s freedom depends on money state.