This website is my personal website. To get more information about me, click on the "About" link. The purpose of this website is to allow people to send me malware. You can choose to send me sample anonymously or not. Please do not send me private binary because the submitted file could be used to write a paper or blog entry. For privacy reason, the submitted sample will be GPG encrypted by your browser. Furthermore, I don't keep logs as IP address, location, ... I only keep the information submitted by the form, if you wish to be contacted after my analysis, put your email on the form. Enjoy!
Quick and dirty configuration of Viper to add "cloud" support
  • Introduction
  • Viper is an open source framework designed to assist malware analysis. You can find more information here. I really like this framework and use it every day. However, it is not possible to natively use it in the "cloud", Viper does not provide a server and a multi-user support. I'll describe here a configuration to add this feature.
    PS: I know this solution is ugly and not perfect nor extremely secure. No need to contact me regarding this issue ;)
  • Architecture overview
  • Viper uses a specific directory to store a project:
    viper_path/projects/project_name
    
    and a SQLite database in this directory:
    viper_path/projects/project_name/viper.db
    

    In my configuration, the project's directory is a WebDAV filesystem. WebDAV is filesystem over HTTP. This protocol is supported by Apache. The filesystem can be mounted on Linux systems using Fuse. Since using SQLite in concurrent access is not real convenient I decided to switch to a MySQL backend.
    You will find the configuration of each component in the next chapter.
    In my configuration, I created 3 projects:
  • - project1 (accessible by user1),
  • - project2 (accessible by user2),
  • - project3 (accessible by user1 and user2).
  • MySQL
  • The MySQL configuration is really simple. The purpose is to create a database for each project (with the viper_ prefix). I decided to use the MySQL user and password defined in the mysql.user table. The advantage is to have a unique username and password for both WebDAV and MySQL authentication. The users must have all privileges on the autorized projects:
    CREATE USER 'user1'@'localhost' IDENTIFIED BY 'password1';
    CREATE USER 'user2'@'localhost' IDENTIFIED BY 'password2';
    
    CREATE DATABASE viper_project1;
    GRANT ALL PRIVILEGES ON viper_project1.* To 'user1'@'hostname';
    CREATE DATABASE viper_project2;
    GRANT ALL PRIVILEGES ON viper_project2.* To 'user2'@'hostname';
    CREATE DATABASE viper_project3;
    GRANT ALL PRIVILEGES ON viper_project3.* To 'user1'@'hostname';
    GRANT ALL PRIVILEGES ON viper_project3.* To 'user2'@'hostname';
    
  • WebDAV server
  • The WebDAV support can easily be enabled in Apache by adding the following entry in the configuration file: DAV On. In the exemple /viper/ is the root directory of every projects:
    <Directory /var/www/viper>
    	AuthBasicAuthoritative Off
    	AuthUserFile /dev/null
    	AuthName "WebDAV authentication"
    	AuthType Basic
    	AuthMySQL On
    	AuthMySQL_Host localhost
    	AuthMySQL_DB mysql
    	AuthMySQL_User user_web
    	AuthMySQL_Password password1234
    	AuthMySQL_Password_Table user
    	AuthMySQL_Username_Field User
    	AuthMySQL_Password_Field Password
    	AuthMySQL_Encryption_Types MySQL
    	AuthMySQL_Authoritative On
    	Require valid-user
    </Directory>
    
    <Directory /var/www/viper/project1>
    	DAV On
    	Require user user1
    </Directory>
    
    
    <Directory /var/www/viper/project2>
    	DAV On
    	Require user user2
    </Directory>
    
    <Directory /var/www/viper/project3>
    	DAV On
    	Require user user1 user2
    </Directory>
    
    The first stanza is the configuration needed to use the MySQL database to authenticate users. For each project, I mentioned that WebDAV is activated and the users allowed to access to the filesystem (using the require key word). Note: instead of naming each users, we can create a group table and use it to manage the permissions.
  • Viper configuration: mount the filesystem
  • To mount the WebDAV filesystem, I use "fusedav" command. To list the project for a specific user, I create a script on /viper/ to simply list the available projects once authenticated:
    paul@laptop:~/Tools/scripts$ cat mount_projects.sh 
    #!/bin/bash <--patched version of course
    url="https://192.168.0.1/viper/"
    dir="/home/paul/viper/projects/"
    read -p "Username: " username
    read -s -p "Password: " passwd
    code=$(curl -k -sL -w "%{http_code}\\n" -u $username:$passwd "$url" -o /dev/null)
    if [ $code != 200 ]
    then
      echo "Bad username/password"
      exit 2
    fi
    list=$(curl -ss -k -u $username:$passwd "$url")
    echo
    for i in $(echo $list)
    do
       [[ ! -d "$dir/$i" ]] && mkdir -p "$dir/$i"
       fusedav -u $username -p $passwd "$url/$i/" "$dir/$i" &
    done
    
    Each projects will be mounted in the /projects/ viper's directory.
  • Viper configuration: connect to the MySQL database
  • The next step is to patch viper to switch to MySQL instead of SQLite:
    viper/viper/core/database.py
    - self.engine = create_engine('sqlite:///{0}'.format(db_path), poolclass=NullPool)
    + url="mysql://user1:passwd1@192.168.0.1:3306/viper_"+__project__.name
    + self.engine = create_engine(url, poolclass=NullPool)
    
  • Viper configuration: extra
  • Viper generates a history file in the project's directory. If multiple users are connected to the same project, the file will shared between each user... It's not useful, so I decided to add my first name as extension to the history file:
    viper/viper/core/ui/console.py
    - history_path = os.path.expanduser('~/.viperhistory')
    + history_path = os.path.expanduser('~/.viperhistory.paul')
    
  • Conclusion
  • This is not a perfect solution, but thanks to this configuration I can easily use Viper in a centralized server with colleagues. After using this solution for a few days I did not identify bugs (except some slowness due to the WebDAV remote filesystem).

    P.