Running Cuckoo on Amazon AWS

[xulifan]

I can install cuckoo, but I cannot setup Virtualbox or VMware. Did anybody set it up successfully? Thanks.

[jbremer]

Amazon AWS is using the Xen hypervisor. You can't run VirtualBox inside a Xen hypervisor unfortunately ;-)
I'm not sure about VMWare, but an alternative solution would be to use QEMU. Or of course just get a dedicated server which is what you want anyway :-)

[simonk9]

think of it from aws point of view, they sell you virtual machines.
if you could run vm inside their vm, you would buy less machines.
you can give https://www.ravellosystems.com/ a try
they use aws servers with custom framework, you can even run your own virtual ESXi server, but this is outside your aws account, so most likely not what you are looking for.

[xulifan]

Hi, I have successfully set cuckoo up in Amazon EC2. I installed cuckoo on one Ubuntu instance and use another Windows instance as the guest machine. Then I specify physical instead of virtualbox in cuckoo.conf and fill the IP address or so. So it is able to do the simulation

[jbremer]

@xulifan Do you have any numbers on "cloud costs" per analysis or so?

[xulifan]

No, I just use free instances for now. So it is all free.

[jbremer]

That's cheating! :-D

[botherder]

That's pretty cool. Would be very useful to have a section on the documentation to explain this.
My only concern really, is that running malware on EC2 instances might be against the terms of service. Have you checked that?

[sabriedd]

Obviously, the legal terms does not permit such a thing ... the minimal consequence regarding the Customer agreement is temporary suspension of the AWS account. So, alas it is not possible to run cuckoo on Free tier EC2 instance without infringing the ToS.

infringement to the AWS Acceptable Use Policy :

- Illegal Activities : Any illegal activities, including advertising, transmitting, or otherwise making available gambling sites or services or disseminating, promoting or facilitating child pornography.
- Harmful or Fraudulent Activities : Activities that may be harmful to others, our operations or reputation, including offering or disseminating fraudulent goods, services, schemes, or promotions (e.g., make-money-fast schemes, ponzi and pyramid schemes, phishing, or pharming), or engaging in other deceptive practices.
- Infringing Content : Content that infringes or misappropriates the intellectual property or proprietary rights of others.
- Harmful Content : Content or other computer technology that may damage, interfere with, surreptitiously intercept, or expropriate any system, program, or data, including viruses, Trojan horses, worms, time bombs, or cancelbots.
- Interception : Monitoring of data or traffic on a System without permission.
- Denial of Service (DoS) : Inundating a target with communications requests so the target either cannot respond to legitimate traffic or responds so slowly that it becomes ineffective.
- Intentional Interference : Interfering with the proper functioning of any System, including any deliberate attempt to overload a system by mail bombing, news bombing, broadcast attacks, or flooding techniques.
- No E-Mail or Other Message Abuse.

[GelosSnake]

Instead of breaking the terms of AWS, you can use the same scenario on ravello. https://www.ravellosystems.com/
https://www.ravellosystems.com/blog/malware-analysis-remnux/

[FuzzyWaffler]

Unless Im missing somethin, the Cuckoo box does not break any of those terms.

It is not illegal- fully free software
It is not harmful - Cuckoo can be set to delete all malware samples
It is not infringing on content - Free Software
It is not harmful - Cuckoo blows up malware in a VM and then shoots out the report
It is not a DDOS - Setup your cuckoo to only talk to itself...
Intentional Interference - Dont set it up to push to sites that arnt yours

No Email/message abuse - Dont send stuff to other people

AKA ...WTF mate -- Stop miss leading tinkerers

---

Official AWS response - https://forums.aws.amazon.com/thread.jspa?threadID=153249

[zashraf1337]

Did anyone get further clarification?
@FuzzyWaffler the forums links have not answered the question yet :)

[FuzzyWaffler]

It seems like there's good money to be made in this area.

We might not get a solid answer because there are so many potential what ifs. From what I've seen they don't have visibility to what you run. If it does something illigal be ready to accept the punishments. I'd make sure your box cannot connect out

[79617261]

@xulifan Did you have to modify the cuckoo setup to save snapshots of your windows "guests"?

[ghost]

Hi,

Glad to see this issue still is open after this long. I was wondering, following xulifan's comment, how is it possible to control Windows instances from a Cuckoo instance in AWS?

I read the physical.conf file and the Fog documentation and as far saw I know, the only way to do it is using Fog but it's not possible to restore an image using Fog in AWS as EC2 instances don't support PXE boot.

So is there something I am missing? Because if there is a workaround, it would save me a lot of trouble. I'm currently running the whole thing on a physical server and I'm limited by hardware and space. If I could host this on AWS, it would make things way easier!

Thanks!

[devvvlanger]

Here's Amazon's response regarding cuckoo on AWS

https://forums.aws.amazon.com/thread.jspa?threadID=153249

[vector-sec]

@xulifan would you be willing to share more information about how you got things setup in AWS EC2? I'm trying to do the same thing.