Managing and Exploring Malware Samples with Viper
2014-10-31 11:28
519 查看
Keeping track of all the samples on your plate can become cumbersome and at times, next to impossible; that's where projects like Viper come
in. Viper is "a framework to store, classify and investigate binary files." This project is an improvement on another tool called VxCage.Viper
is lightweight (due its usage of SQLite), and brings a lot to the table with an ever-growing list of included modules and analysis tools. The following article, contributed by David
Westcott, explains how to get started with this tool.
Viper project is maintained by Claudio Guarnieri (@botherder), Kevin Breen (@KevTheHermit)
and Mariano Graziano (@emd3l). This tool is included in the latest version of REMnux.
To take full advantage of the latest features of Viper, update the version of the tool included with REMnux using the instructions below. Some of the features available in the updated version of Viper are:
The introduction of projects
Additional processing and reporting modules
Multiple fixes (see Github history for more info)
Make sure you're running the latest version of Viper (see update instructions below), then run it using the "viper.py" command.
Getting to Know Viper
Viper presents its user with an interactive shell. Type "help" in the Viper's shell to see a listing of the available commands:
You will also see a listing of the more interesting commands that Viper calls "modules":
Going through all the things Viper can do is beyond the scope of this post, but for sake of demonstration, let's take a look at a few things not mentioned within the Viper's
README document. Note that all modules will be run against the currently opened session (a.k.a. file currently referenced).
You can download a sample and directly add it to your repository using the "open" command:
You can quickly tag a sample for easier reference in the future using the "tags" command:
You can examine the current PE sample for shellcode characteristics using the "shellcode" module:
You can analyze a binary Microsoft Office document for OLE details using the "office" module:
You can locate scripts within an HTML sample using the "html" module:
You can look up the current sample's hash on VirusTotal using the "virustotal" module:
You can also look up the sample on on Malwr.com using the "reports malwr" command:
It's worth noting the API that Viper makes available to its users. At the moment, the API is pretty basic, you can perform the following:
Query for a hash
Upload a file
List current tags within the repo
Download a given file
To activate Viper's API engine, go to the directory where it's installed (on REMnux that's /usr/local/viper) and run "python api.py" as the root user:
If you want to use the API portion of the application, you need to install the Bottle framework by running "sudo pip
install bottle".
Updating Viper on REMnux
Confirm that you're running the latest version of REMnux. These update instructions are written for REMnux version 5, released
in May 2014. Configure your REMnux virtual appliance to be connected to the Internet. The virtual machine ships with host-only networking. You'll need to adjust its configuration to use NAT mode, then run "dhcp-renew" to refresh IP settings.
Remove the current set of Viper files and download the latest version using the following steps:
in. Viper is "a framework to store, classify and investigate binary files." This project is an improvement on another tool called VxCage.Viper
is lightweight (due its usage of SQLite), and brings a lot to the table with an ever-growing list of included modules and analysis tools. The following article, contributed by David
Westcott, explains how to get started with this tool.
Viper project is maintained by Claudio Guarnieri (@botherder), Kevin Breen (@KevTheHermit)
and Mariano Graziano (@emd3l). This tool is included in the latest version of REMnux.
To take full advantage of the latest features of Viper, update the version of the tool included with REMnux using the instructions below. Some of the features available in the updated version of Viper are:
The introduction of projects
Additional processing and reporting modules
Multiple fixes (see Github history for more info)
Make sure you're running the latest version of Viper (see update instructions below), then run it using the "viper.py" command.
Getting to Know Viper
Viper presents its user with an interactive shell. Type "help" in the Viper's shell to see a listing of the available commands:
You will also see a listing of the more interesting commands that Viper calls "modules":
Going through all the things Viper can do is beyond the scope of this post, but for sake of demonstration, let's take a look at a few things not mentioned within the Viper's
README document. Note that all modules will be run against the currently opened session (a.k.a. file currently referenced).
You can download a sample and directly add it to your repository using the "open" command:
You can quickly tag a sample for easier reference in the future using the "tags" command:
You can examine the current PE sample for shellcode characteristics using the "shellcode" module:
You can analyze a binary Microsoft Office document for OLE details using the "office" module:
You can locate scripts within an HTML sample using the "html" module:
You can look up the current sample's hash on VirusTotal using the "virustotal" module:
You can also look up the sample on on Malwr.com using the "reports malwr" command:
It's worth noting the API that Viper makes available to its users. At the moment, the API is pretty basic, you can perform the following:
Query for a hash
Upload a file
List current tags within the repo
Download a given file
To activate Viper's API engine, go to the directory where it's installed (on REMnux that's /usr/local/viper) and run "python api.py" as the root user:
If you want to use the API portion of the application, you need to install the Bottle framework by running "sudo pip
install bottle".
Updating Viper on REMnux
Confirm that you're running the latest version of REMnux. These update instructions are written for REMnux version 5, released
in May 2014. Configure your REMnux virtual appliance to be connected to the Internet. The virtual machine ships with host-only networking. You'll need to adjust its configuration to use NAT mode, then run "dhcp-renew" to refresh IP settings.
Remove the current set of Viper files and download the latest version using the following steps:
sudo -s cd /usr/local rm -rf viper git clone https://github.com/botherder/viper.git[/code]
Modify Viper's configuration in the /usr/local/viper/modules/pe.py fileto point it to the packer signatures database. To do this, run "scite /usr/local/viper/modules/pe.py".
Then change from:
To:
Also, modify Viper's configuration in the /usr/local/viper/modules/yarascan.py file to point to the location of Yara signatures. To do this, run "scite /usr/local/viper/modules/yarascan.py" and changing "data/yara/index.yara" to "/usr/local/viper/data/yara/index.yara":
Next, install new dependency to be used with OLE plugin by running the following command:pip install OleFileIO_PL
If you haven't already installed Bottle, as indicated above, to so by running "pip install bottle".
Lastly, create the directory where Viper will store its projects data by running:mkdir ~remnux/projects
After this, exit the root shell ("exit") and run Viper ("viper.py") as a non-root user. You should run Viper from the directory to which the "remnux" user has write
access, such as this user's home directory.Viper is a promising tool for managing and exploring malware samples in your collection. Based on the projects that Viper's developers have created previously (most
Conclusion
notably Cuckoo Sandbox),
this tool has a bright future as part of a malware analyst's toolkit.
This article was written by David Westcott (@beast_fighter)
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- [Angular 2] Managing State in RxJS with StartWith and Scan
- Exploring System Internals with lsof and strace
- [MobX] MobX fundamentals: deriving computed values and managing side effects with reactions
- Links and resources for malware samples
- NetAdvantage_Ultimate_20112_WithSamplesAndHelp
- 2.10 Presenting and Managing Views with UIViewController
- Q & A category in Prism forums, with some answers and samples of mine.
- [SPS2010] 新的教程 Exploring SharePoint and Silverlight with Paul Stubbs (英语)
- Managing Software Development with Trac and Subversion
- Malware Infected Website protection with TMG, IE and Sophos
- Creating and Managing a Database with DBCA
- TWC: Malware Hunting with Mark Russinovich and the Sysinternals Tools
- Tip/Trick: Integrating ASP.NET Security with Classic ASP and Non-ASP.NET URLs
- 2006年11月9日 Working with Data and ASP.NET 2.0
- Video captioning with recurrent networks based on frame- and video-level features and visual content
- A Microservice Architecture with Spring Boot and Spring Cloud(二)
- Google Merchant How To Setup A Live XML Data Feed With MySql and PHP
- [深度学习论文笔记][Depth Estimation] Predicting Depth, Surface Normals and Semantic Labels with a Common M
- Financial Inquiry via FAXOLFIN And FAXASSET Fails With APP-OFA-48269 Unknown Error (文档 ID 749444.1)
- DB2 Basics: Fun with Dates and T…