Following up with last week’s desktop sandboxing challenge Darren’s taking a look at another kind of sandbox — one for malware analysis. Shannon thinks your VNC and SSH servers are pretty spiffy, but how about controlling your computer over twitter? Free text messaging to your PC anyone?
Download HD Download MP4 Download XviD Download WMV
Malware Analysis Sandbox
CWSandbox is an automated malware analysis sandbox. It works by running suspected malware samples in a simulated Windows OS. So as opposed to trying to break into the malware code to see what it does, we simply run it in a live environment. That way we can monitor all the network traffic that the malware generates. All of the processes that are created, the DLLs that are loaded, any changes to the Windows registry and even what it’s doing to the file system.
This is achieved by using a technique called API hooking. That basically means that when the malware calls the Windows application programmers’ interface to say something like “connect to this IP address” or “modify this file” it’s actually going to CWSandbox’s monitoring software, which logs the action and goes ahead and makes the change.
It’s kind of like an operating system man-in-the-middle. For malware.
So once a suspected malware sample is run through the tool you get a computer generated report of what the executable is actually doing. And this can be fed into anti-virus and intrusion detection systems to monitor for similar behavior.
PC Remote Control over Twitter
While there is no denying the power of running your own SSH, VNC server at home for remote access, wouldn’t it be nice if you could simply text message your computer something simple like “Hey, what’s your external IP address” or “Send me a screenshot” or “Go download this file”
And if Robin Wood has taught us anything with KreiosC2 – commanding your computer, or even a large botnet for that matter, over social networks is quite possible.
But now it’s time for something a lot more user friendly. This week Snubs investigates TweetMyPC
Hi guys, I love your show,
However I was disappointed to see that you promoted the program TweetMyPC which is, in my opinion, a terrible piece of software. TweetMyPC uses Twitter’s API which limits the number of times it can check for updates to every 30 seconds.
Alternatively, it would be very easy to write up your own .NET script that would not be limited by such a restriction. So I did it for you below (in C#). The idea is that instead of asking the API for the update, it gets the update on its own by parsing it out of the HTML source code. This can increase the number of times you can check for updates to as many as 6X-a-minuite. (Granted, it probably is a little more CPU intensive, but I think that the pros outweigh the cons)
This example is only meant to give you a general idea of how such a homebrew version could work, but if you are interested it would not take much effort to reproduce all of the functionality of TweetMyPC (and maybe include some other, more nefarious, functions as well).
Feel free to email me:
nox365@gmail.com
Example(might be a bit glitchy): http://pastebin.com/EtzTEKuW
-or download the exe: http://www.mediafire.com/?m1amjgtl3on
Scroll down if you want to see the update.
(This whole time, I never noticed the reply button.)
Hi Nox365!
If you would have taken a look deeper into the sourcecode of twitter you would have seen how efficiently it works.
And there is really no difference in how often you can use the twitter api compared to checking out the page content which requires a complete reload every time because Twitter limits both the same way to a maximum of 150 requests per hour (http://apiwiki.twitter.com/Rate-limiting). Sure, if you try it yourselfe, you can just reload the page as fast as you want, but after doing this 150 times, you will see that by as you said 6 times a minute you will be blocked for the rest of the hour after reloading so often for 25 minutes! (150/6=25)
Now tell me: How do you want to control your computer with your program if your twitter account is blocked?
You didn’t really listen to what your math-teacher in school told you, did you?
Pretty good episode, there are more online “sandboxes” like CWSandbox.
ThreatExpert – http://threatexpert.com/
Anubis – http://anubis.iseclab.org/
etc..
And btw, whats up with that Gamefly ad
- Slasher
I really like the way this episode was shot and edited. My favorite part was the GoToMyPC ad/tip. What’s up with the audio on that gamefly spot, though? Snubs still needs a better mic, but it’s nice to see Kerby again.
Snubs looked pretty tired..hope shes ok.
Interesting episode though.
Tweetmypc is pretty cool. I made a sniffer dump
what!? .bat throwing it out to a .txt file. Tweet the command and bam a little network ultility on the go. Thanks again guys very useful here at work.
Great episode as always! Sorry to hear about your job Darren, but I am excited to see you try to do Hak5 full time! I also wanted to say thanks for the Windows 7 login tip Snubs mentioned in the GoToAssist spot.
Shame about being laid of Darren, mad respect for keeping the show alive and doing it full time. Segment about CWsandbox was awesome, gunna try that out
And snubs, very impressed, you actually found a legitimate use for twitter 
Keep up the good work guys, peace
Very useful information about CWSandbox, like a lot of people I’ve dabbled with Virtualbox and Wireshark for checking out Malware but that service makes it easier and safer.
For those of us who haven’t been watching the show that long, the other service Darren mentioned was http://www.virustotal.com/
A while back I heard a rumour that some malware could break out of a VM and infect the host OS, has that ever actually happened in the wild to anyone’s knowledge?
Bucko, I’ve seen some proof of concepts but nothing more. Some more research is obviously in order.
Care to post them Darren?
Hey guys awesome show! Keep up the good work!
I imagine this must be old allready but i figure i should point it out anyway –> http://www.skullsecurity.org/wiki/index.php/Passwords If you browse this page you will see a .txt file with Hak5 passwords…
Shout out from Brazil!!!
O.o does anyone know which band / song is used during darens sandbox explanation? does sound damn cool o.O….
hey guys ive been checking out the twitter application great find
thanks to you i found the mac version of this
http://themacbox.co.uk/tweetmymac/
you should check it out!
Yo what was that song in the middle when hes riding on the bike. The guys says “every day is a Saturday”.
@xenomorph150 & Mark
I’m guessing something by pronobozo, does most hak5 theme music. Youtube failed me so I dunno though ¯\(°_o)/¯
@soupman
i did check his stuff and the stuff from the “codergirl” writter… but i got nothing from this… ^^’.
so… any other idea? XD
The song is “every day is a saturday” by Pronobozo. It’s off the new album which is releasing in the next few weeks. Keep an eye on http://www.pronobozo.com
Awesome! Thanks Darren, I will definitly check it out! ^-^
TweetMyPC seems really cool, but wouldn’t it be better, at least from a security perspective, if all PC related info was sent to gmail, instead of twitter. For instance, the ip command. Do you really want to post your ip for the world to see?
Wouldn’t it be better if that information went to gmail instead? Or at least have a ipToEmail command?
Also, just wanted to say that you guys are my favorite information show online. However, with the last couple of shows, I’m getting the feeling that the content is getting less in depth. I would much prefer that the content got more hard core. Everytime I launch Hak5, I’m excited, because I’m expecting to learn something.
eh, maybe I’m just being paranoid. anyway . . . love the show.
While I’ll agree the last few shows haven’t been as in depth as usual, don’t count Hak5 out just yet. This season is one of a crazy transition and it’s going to take some time to find a balance that works. Stick with it.
I’m not going anywhere.
Just trying to keep you on your toes.
@sloth2slow
…
You should NEVER use your “own” Twitter Account for TweetMyPc.
Do create an dedicated one and check the Private Settings in the Twitter Options. That way, only invited Ppl can read the Tweets you send – for example your Commands or the Responses to that. Adds an big Ammount of Security. And by the way, you should maybe even create an own Gmail Account for that Occasion and use “real” Passwords and not such “password”, “admin”, “0123456789″ stuff
On the other hand: Excellent, I love TweetMyPc, I have some bad firewall situation and need an SSH Tunnel to my Work PC – I thought about Reverse SSH (which would be an cool idea for some next show
) – but did not found an way to trigger that – as I did not wanted to have an “always online” Connection to my Gateway. But with TweetMyPC I found an easy solution. Thanks Hak5 for delivering the right Info on time 
.
God, please no more SSH segments
Yeah, Snubs explained using the alternate account very well. I got that. Just forgot that you could make twitter private. Seems to go against the grain of the whole app, but it’s perfect for something like this. Thanks.
-UPDATE-
Even though I now realize that TweetMyPC is far better than any program I can make, I am continuing my project just for fun. For those of you who did not see my last post, the idea was to get tweet updates through screen-scraping instead of through Twitter’s API.
The reasons this would be good are:
– The program doesn’t need your password
– It can get updates at faster intervals
– It is against Twitter’s terms of service…
– …so therefore it is funner
But there are also the bad things:
– It takes more CPU
– You can’t use a private account
– It is less reliable
Again, I will attach what I have so far. It is still in super rough shape and I am only in high-school so my coding skills are, shall we say, less than exemplary.(Basically it’s pretty sloppy.)
However, if you are interested at all, I will include the .exe and the C# source so you can see what’s going on.
Please comment, or email me, if you have suggestions/criticisms.
At least let me know if I’m making a fool of myself.
Download:http://www.mediafire.com/?tdgjw02jmmw
(BTW: Only tested on my WIN-XP and you need .NET framework installed)
Where can you download cwsandbox.
my bad, its online service misunderstood.
All people deserve good life time and mortgage loans or credit loan can make it better. Because people’s freedom depends on money state.