Starting with sandbox development

Question

I am looking for some security related project in which I can contribute and also learn something. Since I am new with this stuff It will be better if that project is less complex and digestible for a beginner. I was searching for such project in GSoC and found a opensource sandbox project called "Cuckoobox".

I tried to get hold of its source code but that proved to be futile attempt.I realized that first i need to know the windows OS environment and API and why they are so susceptible to infection, common methods and tools for attacking such DLL injection and solution for them. Please point me to some study material to get all the basics required to be able to contribute to such projects.

I have one more question. Which OS should I start with, Linux or Windows?. I think Windows should be the one as it is the most widely used OS and also the most widely infected (compared to Linux).

Is there a question here? I suggest you edit your post to clarify what it is you're asking. — AviD, Mar 26 '11 at 21:50
+1 as AviD says, what is the question? Cuckoobox isn't open source - speak to Claudio Guarnieri for more info on it - but in any case it isn't your best bet to learn about malware; it is aimed much more at experienced malware investigators, to speed up the investigation process. Can you do secure code development as part of your course? — Rory Alsop, Mar 27 '11 at 16:24
@AviD♦:I want to find some open source project in security which i can contribute and thereby learn something. And if cuckoobox is not something for starters then please recommend some other security project for newbie. — gkt, Mar 30 '11 at 13:27
@Rory Alsop: [cuckoobox website](http://www.cuckoobox.org/) says it is open source and links to a git repository. — Stephen Paulger, May 25 '11 at 15:41
@Rory Alsop: I have no idea of what you're talking about. Cuckoo Sandbox has always been Open Source since the very beginning. Don't make wrong statements on things you don't know about please. — , Jun 02 '11 at 07:11
@Claudio G - many thanks for that. My response was taken from the documentation on the old cuckoo web page. Apologies for getting the wrong end of the stick. Glad it is open source :-) — Rory Alsop, Jun 02 '11 at 11:58

score 13 · Accepted Answer · edited Mar 29 '11 at 10:11

13

Microsoft has had a horrific security track record. But the real problem in 2011 isn't operating systems, its web applications and web browsers. You should explore projects like Damn Vulnerable Web App, OWASP WebGoat and especially Google Gruyere. You can find pre-built VM's for all of them, and Google is hosting theirs so you don't have to install anything.

edited Mar 29 '11 at 10:11

Rory Alsop

61,367
12
115
320

answered Mar 26 '11 at 20:11

rook

46,916
10
92
181

3

+1 for WebGoat - it is a great starting point. – Rory Alsop Mar 28 '11 at 11:19
The reason I wish to do window project is because I think it is simpler and more apt for the beginners to start with as compared to the complex and more difficult web securities.Please correct me if I am wrong. – gkt Mar 30 '11 at 13:30
1

@gkt.pro, you're wrong about that - it's a lot easier for a beginner to get into the basics of web attacks, its (usually) based on a very simple, transparent protocol which is easy to play with. Getting into current windows vulns will often force you to go down to reverse engineering and kernel debugging. Not very beginner-friendly. Definitely +1 for WebGoat, I use it for beginner training all the time. – AviD Mar 30 '11 at 13:43
@gkt.pro yeah I agree with Avid, most operating system attacks are by far the most complex attacks around. Web application by contrast are the most simple, CSRF, XSS and SQL Injection are pretty trivial. There are some exceptions like H.D. Moores DLL hijacking is pretty simple, but that's almost dead. Stick with web apps. – rook Mar 30 '11 at 16:32
1

http://blog.metasploit.com/2010/05/introducing-metasploitable.html Metasploitable is another option for a known insecure VM. – Stephen Paulger May 25 '11 at 15:50

score 5 · Answer 2 · answered Mar 25 '11 at 20:14

5

A fantastic book on rootkits and exploiting Win32 systems via them is, "The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System." It has extremely in depth information about rootkits and the process behind them. Be forewarned though, in order to fully appreciate the book, a background in C is highly recommended.

answered Mar 25 '11 at 20:14

PalmerBomber

347
4
7

Thanks for pointing the books. I am reading it and enjoying it a lot. – gkt Apr 02 '11 at 13:55

score 2 · Answer 3 · edited Mar 17 '17 at 10:46

2

Googles Gruyere is definitely the way to go when you speak of novice.
As @Rook wrote, web apps is what you should be seeing today. You don't have to worry about concepts, as you go way down the Gruyere, they explain the concepts before you enter the particular exploit. I am learning my way with Gruyere, as we speak here now :)

edited Mar 17 '17 at 10:46

Community

1

answered May 31 '11 at 05:30

Karthik

2,254
4
19
19

noxdafox · Answer 4 · 2017-07-17T06:03:48.083

You don't necessarily need to start from the Windows internals to perform behavioural analysis. There are other easier and more interesting approaches you could try first.

You could begin from tracing the network activity with tools such as wireshark and see what evidence you could gather from there.

Tools like volatility or rekall are a good way to start learning about memory forensics without the need of studying OS principles.

A very simple way to perform filesystem forensics with Virtual Machine based sandboxes is to just take two disk snapshots at different times and compare them to see what has changed.

All just to say that there are more ways to approach the problem and, as a beginner, I believe the most simple and entertaining ones should be tried first.

The SEE tutorial, for example, shows how to inspect malware without the need to know lots of Windows/Linux internals.

Starting with sandbox development

4 Answers4

Linked