Add a signature for detecting AntiCuckoo. The author of AntiCuckoo do…

…esn't see the pointlessness of his work; it doesn't prove anything not already known, doesn't improve Cuckoo as a sandbox. It's merely a lesson in information asymmetry and the ability of code to detect other public code executing at the same privilege level. It is simply not possible to proactively prevent detection while at the same time publishing a DLL for users to use. It's merely a time-wasting cat and mouse game that enables script kids and malware writers to reach beyond their own capabilities. As my own lesson in information asymmetry, the cuckoomon code that currently detects all three forms of AntiCuckoo's detections won't be published.
brad-sp · Jul 13, 2015 · 29587d6 · 29587d6
1 parent 7212a3c
commit 29587d6
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 0 deletions.
diff --git a/community.pyproj b/community.pyproj
@@ -18,6 +18,7 @@
     <PtvsTargetsFile>$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)\Python Tools\Microsoft.PythonTools.targets</PtvsTargetsFile>
   </PropertyGroup>
   <ItemGroup>
+    <Compile Include="modules\signatures\antisandbox_cuckoo.py" />
     <Compile Include="modules\signatures\antivm_vbox_provname.py" />
     <Compile Include="modules\signatures\bad_ssl_certs.py" />
     <Compile Include="modules\signatures\disables_spdy.py" />

diff --git a/modules/signatures/antisandbox_cuckoo.py b/modules/signatures/antisandbox_cuckoo.py
@@ -0,0 +1,39 @@
+# Copyright (C) 2015 Accuvant, Inc. ([email protected])
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from lib.cuckoo.common.abstracts import Signature
+
+class AntiCuckoo(Signature):
+    name = "antisandbox_cuckoo"
+    description = "Employs AntiCuckoo detection techniques"
+    severity = 3
+    weight = 3
+    categories = ["anti-sandbox"]
+    authors = ["Accuvant"]
+    minimum = "1.3"
+    evented = True
+
+    filter_categories = set(["__notification__"])
+
+    def __init__(self, *args, **kwargs):
+        Signature.__init__(self, *args, **kwargs)
+
+    def on_call(self, call, process):
+        subcategory = self.check_argument_call(call,
+                                               api="__anomaly__",
+                                               name="Subcategory",
+                                               pattern="anticuckoo")
+        if subcategory:
+            return True