We’ve had quite a few upgrades to minotaur this weekend. First, and most noticeable on the homepage is a display of recently analyzed network communications of malicious samples. If you click on a particularly interesting map, it will take you to the report for that sample.
Next, you can now search for samples using the MD5, SHA1 or SHA256 hashes which will hopefully improve the usefulness of the search system.
Lastly, the backend that generates the videos, screenshots, tcpmaps and dynamic analyses had a major flaw in the way files were copied into the environment that was preventing some of the samples from having full data. This bug has been fixed which should lead to more consistent level of analysis of EXE files.
Hopefully many more updates on the way.
The anti-malware dns aggregator is back online on a completely new backend and statistics should be rolling in very shortly. I’m running the entire domain database through the new system, so there will be a large spike in detections over the next few days. Please, if you know of any more services we can add to this aggregator, let me know.
Minotaur uses several visualization technologies from different vendors. In case this is useful for others setting up their own dynamic analysis environments, I thought it would be a good idea to chronicle some of our efforts here.
On our workstations we run a combination of VMWare, VirtualBox, and Parallels. Depending on the specific needs and the analyst. I think on the workstation side, these solutions are so similar that we don’t really have a favorite.
Our dynamic analysis is split into two parts, one side runs samples through ZeroWine on 24 VMs running in Proxmox, and the main Windows runtime analysis is performed in CuckooBox, running in VirtualBox on a dedicated server.
Our primary infrastructure is run on two Proxmox nodes. This infrastructure covers the collectors, databases, analyst workstations VMs, and the data environments. Proxmox allows Minotaur to have great VM density and allows us to run more than 60 active virtual machines on two off-the-shelf hardware nodes. Until very recently, all of the storage was local on the servers, so even though Proxmox features live migration capabilities, we were unable to use this in-house.
Enter our new storage array from Synology, the DS1812+. The Synology box gives us the ability to centralize our storage using iSCSI LUNs while still being a pretty affordable solution.
So the idea was I would just migrate some of the Proxmox nodes to central storage so that we would have better availability and load balancing capabilities. But then I became aware of some of Citrix’s current offerings, namely XenServer and XenDesktop, including the free versions of each. I especially took notice of the management capabilities of the systems using windows consoles. I can also see how direct citrix access to the workstations would be of great value to our analysts. So I decided to start a pilot. I’ve since offloaded two of our physical servers that were running internal infrastructure to the Synology box and loaded Xenserver on the first and will load the second one up as a windows server to run the XenDesktop components in the near future.
So far the setup was very easy after getting used to the different conventions. Setting up all the VLANs was easy, and setting up the iSCSI LUN was a snap as well. I decided to try running a conversion for the first box, so I converted a linuxMint VM from VMWare Workstation. This did not go so well, but I would not use a converted machine for production anyway, always best to build a clean image on the architecture. I would also guess that a windows workstation would have gone smoother, as that’s usually what conversion tools are catered toward.
Having installed the first sever VM and setting up the guest tools, everything looks to be running pretty smoothly now.
Minotaur is up for a rewrite of the backend components as we move to the current versions of cuckoobox that include MAEC reporting (among other significant improvements) which will hopefully increase Minotaur’s benefit to the community. With major components being upgraded and re-tooled for this environment, now seemed like a good time to review our options for the entire infrastructure. It will be a while before any decisions are made and we know what fits our needs best but I do like playing with new technologies.