Merry Christmas, Happy New Year and Seasons greetings to you all. This is my final post of the year. Next year I am hoping to post more content on a regular basis. I’m upgrading the lab at home and rebuilding it from the ground up. I have prepped most of the Virtuals and have documented their build process and usage so expect to see a lot of those. I’ll be starting with an IDS build so that’s what you can look forward to. In the meantime more Viper. . .
Viper is one of my most active projects at the moment and I have spent the last several weeks working on making viper easier to use, whilst maintaining as much functionality as i could. If you don’t know what viper is have a look at my previous post https://techanarchy.net/2014/08/viper-binary-management-and-analysis-framework/
The end result is a web interface that works alongside the command line interface. It doesn’t provide all the functionality of the CLI (yet) but it’s not far off. The web interface is project aware which means you can switch between and create projects without having to run a new instance.
Searching and tagging is also project aware so you can optionally search across all projects when looking for files or hashes.
Installation is no different to the standard install the only difference being you need to start the web console instead of the command line console. Its default is to run on local host port 9090, you can change this via the command line or within the web.py file.
thehermit@viper:~/viper$ python web.py Bottle v0.12.7 server starting up (using WSGIRefServer())... Listening on http://localhost:9090/ Hit Ctrl-C to quit.
This will run a local web service on port 9090 accessible from localhost only.
thehermit@viper:~/viper$ python web.py -H 0.0.0.0 -p 8080 Bottle v0.12.7 server starting up (using WSGIRefServer())... Listening on http://0.0.0.0:8080/ Hit Ctrl-C to quit.
This will run a local web service on port 8080 that is accessible via any IP address on the device
Now simply point a browser at http://ipaddress:port and you should see Viper
Projects allow Viper to separate files in to logical groupings based on your need. So if your dealing with something very specific and you don’t want to mix it with all your other samples create a new project and it will isolate all the files. Creating projects via the web interface is done in the top right of the Nav bar, enter a new name submit and your now sat in your new project, any files will be sent here and not in to the main repository.
Switching between projects is a matter of selecting the project name from the dropdown in the Nav bar.
This should be fairly self-explanatory, you can upload single or multiple files, unpack zipped files with an optional password. You can also load a file or web page directly via a URL.
As mentioned above searching can be project aware, meaning it will search across all projects it can find. You can search for the following types:
The main page allows you to navigate through all the samples in the currently loaded project. selecting a file will take you to its individual page where Viper really starts to show its fangs.
The static page displays all the typical file information you would expect to find.Names, hashes, etc.
This page also allows you to download the sample or send it to a cuckoo instance. (this will be covered in a future post)
The final thing of interest on this page is the Tags, you can add tags or click on a tag name to see all other files that have been tagged the same.
Notes is simply a place to add notes. Not sure what else I can say there.
Modules is the core of viper. It allows you to run most of the community created modules and see their output. Not all the modules or options that are present in the command line are available in the web interface. These are typically commands that export data. A future release will add support for these features.
Modules are run by selecting the module then its option from the drop down selectors. Running the selected option will dump its output in to the output filed below. Each command is appended to the module output until you leave the page or hit the clear button.
The final tab on this page view is a simple hex representation of the data. It’s manually loaded in 256 bytes at a time. Again a future release will allow you to specify specific offsets to jump to or display.
The yara page, accessible from the nav bar, allows you to view edit and create new yara rules that can be used from the Modules interface. rules that match your files will automagically add a tag to that file for future reference.
It’s important to note that there is currently no validation on yara rules so if you break a rule you will break the yara scanner available at the module interface.
For those of you who don’t have the facilities to spin up your own Viper instance or if you just want to have a play, I am running a free Web instance that has been pre loaded with a handful of malware samples. Most of the functionality is in place, Some was removed for the sake of security. On that note if you do find a bug or vulnerability please don’t abuse it let me know on firstname.lastname@example.org
The service is provided free and public for as long as it is not abused.
The usual HazDat applies.
Malware samples are available for download by any responsible white hat researcher. By downloading the samples, anyone waives all rights to claim punitive, incidental and consequential damages resulting from mishandling or self-infection.
If you have uploaded a file you wish to be removed email me on email@example.com
A Final Merry Christamas And Seasons Greetings. See you in 2015.
As usual Questions, Queries, Comments below.