GNU/LinuxScannerSecurity

Open Source Malware Clusterization Toolkit: Cosa Nostra

0
Open Source Malware Clusterization Toolkit

Cosa Nostra is an open source software clustering toolkit with a focus on malware analysis. It can create phylogenetic trees of binary malware samples that are structurally similar. It was initially released during SyScan360 Shanghai (2016).

 



Open Source Malware Clusterization Toolkit

Cosa Nostra is an open source software clustering toolkit with a focus on malware analysis. It can create phylogenetic trees of binary malware samples that are structurally similar. It was initially released during SyScan360 Shanghai (2016).

 



Required 3rd party tools

In order to use Cosa Nostra you will need the source code, of course, a 2.7 version of Python, as well as one of the following tools in order to perform code analysis:

  • Pyew Written in Python, it supports analysis of PE, ELF, Bios and Boot files for x86 or x86_64.
  • IDA Written in C++. It supports analysing a plethora of executable types that you probably never even heard about. Commercial product.
  • Radare2 Written in pure C. Same as with IDA, with support for extremely rare CPUs and binary formats. Also, it’s open source!

 

cosa

 

Analysing binaries

Once you have installed any of the previously mentioned tools you will need to use the appropriate batch tool to analyse the malware samples, like in the example bellow:

$ cd $COSA_NOSTRA_DIR
$ python r2_batch.py example.exe

Or

$ cd $COSA_NOSTRA_DIR
$ python pyew_batch.py example.exe

Or

$ cd $COSA_NOSTRA_DIR
$ /path/to/idaq -B -A -Sida_batch.py example.exe

 

Automating the Analysis of a Malware Dataset

The easiest way to analyse a malware dataset is by simply running a command like the following example:

$ find /your/malware/dataset/path -type f -exec python r2_batch.py {} ';'

It can be done in parallel by using the “GNU Parallel” tool, as in the following example:

$ find /your/malware/dataset/path -type f | parallel -j 8 python pyew_batch.py {}

In the example above, it will launch a total of 8 pyew_batch processes in parallel.

 

HellRaiser – Vulnerability Scanner

Previous article

Recover Deleted Files With Scalpel

Next article

You may also like

Comments

Leave a reply

E-posta hesabınız yayımlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir

More in GNU/Linux