This document describes a distributed malware analysis system using Cuckoo Sandbox. It discusses: 1) Cuckoo Sandbox is an open source automated malware analysis system that runs binary files in virtual machines to record behaviors like API calls, files created, registry access, and network traffic. 2) The motivation for a distributed system is that the computing power of a single machine is limited, causing performance bottlenecks for analyzing large numbers of samples. 3) The distributed Cuckoo system uses a master-worker architecture to assign analysis tasks to multiple worker nodes in parallel, reducing total analysis time and allowing the system to scale to more samples as hardware resources increase.

1. Open Source System Software and
Practice Final Project
R03725019 李士暄
R04725042 葉展奇
A Distributed Malware Analysis System
Cuckoo Sandbox

2. Outlines
• Introduction to Cuckoo
• Standalone Cuckoo architecture
• Motivation
• Distributed system of cuckoo sandbox
• Agent design
• Evaluation
2

3. Introduction to Cuckoo
• An open source automated malware analysis system.
• Run binary files in virtual machine (VM) to record
their behaviors
• Trace Win32 API calls
• File created, registry access, memory dump of malware
process
• Network traffic pcaps
• Support static analysis
• Integrated with Yara, Virustotal and other open
source tools.
• Hypervisor : support KVM, Vmware and Virtualbox
3

4. Standalone Cuckoo Architecture
Web Service
4

5. Motivation –
performance bottleneck
• Although we can run several VMs for cuckoo, but
the computing power of one machine is fixed.
• which causes performance bottleneck for analyzing tasks.
5

6. Project Goal
• Extend Cuckoo sandbox be a distributed system,
which can do the analysis tasks in parallel.
• leverage master and workers architecture
• reduce total analysis time
• We hope our distributed cuckoo system be a
scalable system.
• Which means it can increase the number of analyzed
malware samples when hardware resources added.
6

7. Implementation
• Cuckoo framework has its own distributed APIs, but
is incomplete and not enough for our goal.
• Using curl library for network connection
• We decided to setup cuckoo environment and
implement our own agents on both master and
workers sides.
7

8. Distributed System of Cuckoo Sandbox
provides malware
samples
Security Analyst
Cuckoo Master
Cuckoo Worker 1
Cuckoo Worker 2
Cuckoo Worker 3
Analysis VM 1
Virtual
network
Assign tasks to workers
File ServerDB Server
Analysis VM 2
Analysis VM 3
Analysis VM 4
Analysis VM 5
Analysis VM 6
8
agent
agentagent
agent

9. Agent Design (1/2)
• Master will transmit malware samples to workers at
first time.
• The process for one worker VM:
1. Worker agent executes cuckoo sandbox and start
analyzing malware.
2. The master agent transmits the next malware to
worker as long as worker start analyzing task.
3. After the reports are generated, worker agent
transmits them back to the master.
9

10. Agent Design (2/2)
• An analysis task could be divided into four steps
• FT : File Transmission MA : Malware Analysis
• GR : Generate Report RT : Report Transmission
• We hope the analysis task of one VM can be dealt in
parallel like instruction pipeline.
10

11. Evaluation (1/3)
11

12. Evaluation (2/3)
12

13. Evaluation (3/3)
13

14. Thanks for your listening.
14