Cuckoo Sandbox keeps open source malware analysis moving

New release sets the stage for even greater scale and features.

I am back from my annual pilgrimage to Vegas for Security Week. Between Black Hat, DefCon and BSides Las Vegas, a critical mass of the infosec universe is on hand and it always a great learning experience in addition to a great time. I wanted to highlight a few things you probably haven't read about yet that I learned in Vegas. 

The first is the next release of the Cuckoo Sandbox malware analysis tool. I first wrote about Cuckoo a few months back when it was selected as one of the inaugural Magnificent 7 winners by Rapid 7. I then did a follow-up Open Network Podcast with the founder of Cuckoo, Claudio Guarnieri, which you can listen to here.

Guarnieri was out in Vegas for the conferences so I had a chance to finally meet him in person. It was interesting speaking to the founder and lead developer of a successful open source project. Claudio lives in Amsterdam and is a security researcher by trade (in fact, he recently took a position with Rapid 7). He started Cuckoo Sandbox to help himself with his research and to help others like him. He had very modest goals for the project. In fact, when he won the Magnificent 7 award he didn't even go out and spend all the money. But winning the award, as well as the amount of people and companies that have come to use the product, has shown him that he needed to redo some things.

This new version of Cuckoo (version .4) has a lot of the basic plumbing redone. Claudio realized that if it were to continue growing and meeting people's needs, Cuckoo would need to be much more scalable and reliable with the ability to add more features in the future. So, primarily himself with the help of one or two others have spent the last six months rewriting much of Cuckoo to achieve these goals. Now Claudio says that future versions of Cuckoo will be much easier to develop and will have much greater stability and features.

One thing I was surprised at was when Guarnieri told me that many companies are now starting to embed Cuckoo Sandbox in their malware analysis tools. I asked him how this made him feel. They were packaging and selling the code that he worked so hard on and he was not making any money on it.  This is always something that I have known to upset open source developers in the past. But not Claudio; he was honored that they would include his code in their products. As long as they abide by the rules of the license he is fine with it and wishes them continued success and profit using the fruits of his labor.

I guess that is the right attitude to have if you are going to develop open source software. But I still find it somewhat surprising. In any event, Claudio is most proud of all the malware that has been discovered using Cuckoo Sandbox. It really has become a very useful tool not only for him, but for security researchers the world over.

I spoke with Marcus Garvey of Rapid 7 who has a lot of ties to the U.S. government infosec community, and he was surprised at how many government types were using the products. Claudio says that while most of those contributing code come from Europe, most of the users are actually from the U.S. The fact that people the world over were using Cuckoo, though, was still humbling and amazing to him.

So Cuckoo seems to be well on its way to becoming a staple in the security research community. Another solid open source project developed for the right reasons and a useful tool for many.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT