Episode 704 – Malware Analyzis Sandbox and PC Remote Control over Twitter

Following up with last week’s desktop sandboxing challenge Darren’s taking a look at another kind of sandbox — one for malware analysis. Shannon thinks your VNC and SSH servers are pretty spiffy, but how about controlling your computer over twitter? Free text messaging to your PC anyone?

Download HD Download MP4 Download XviD Download WMV

Malware Analysis Sandbox

CWSandbox is an automated malware analysis sandbox. It works by running suspected malware samples in a simulated Windows OS. So as opposed to trying to break into the malware code to see what it does, we simply run it in a live environment. That way we can monitor all the network traffic that the malware generates. All of the processes that are created, the DLLs that are loaded, any changes to the Windows registry and even what it’s doing to the file system.

This is achieved by using a technique called API hooking. That basically means that when the malware calls the Windows application programmers’ interface to say something like “connect to this IP address” or “modify this file” it’s actually going to CWSandbox’s monitoring software, which logs the action and goes ahead and makes the change.

It’s kind of like an operating system man-in-the-middle. For malware.
So once a suspected malware sample is run through the tool you get a computer generated report of what the executable is actually doing. And this can be fed into anti-virus and intrusion detection systems to monitor for similar behavior.

PC Remote Control over Twitter

While there is no denying the power of running your own SSH, VNC server at home for remote access, wouldn’t it be nice if you could simply text message your computer something simple like “Hey, what’s your external IP address” or “Send me a screenshot” or “Go download this file”

And if Robin Wood has taught us anything with KreiosC2 – commanding your computer, or even a large botnet for that matter, over social networks is quite possible.

But now it’s time for something a lot more user friendly. This week Snubs investigates TweetMyPC


  • Pingback: Twitted by Knut_N900

  • Nox365

    Hi guys, I love your show,

    However I was disappointed to see that you promoted the program TweetMyPC which is, in my opinion, a terrible piece of software. TweetMyPC uses Twitter’s API which limits the number of times it can check for updates to every 30 seconds.

    Alternatively, it would be very easy to write up your own .NET script that would not be limited by such a restriction. So I did it for you below (in C#). The idea is that instead of asking the API for the update, it gets the update on its own by parsing it out of the HTML source code. This can increase the number of times you can check for updates to as many as 6X-a-minuite. (Granted, it probably is a little more CPU intensive, but I think that the pros outweigh the cons)

    This example is only meant to give you a general idea of how such a homebrew version could work, but if you are interested it would not take much effort to reproduce all of the functionality of TweetMyPC (and maybe include some other, more nefarious, functions as well).

    Feel free to email me:
    [email protected]

    Example(might be a bit glitchy): http://pastebin.com/EtzTEKuW

    -or download the exe: http://www.mediafire.com/?m1amjgtl3on

    • BasisBit

      Hi Nox365!

      If you would have taken a look deeper into the sourcecode of twitter you would have seen how efficiently it works.

      And there is really no difference in how often you can use the twitter api compared to checking out the page content which requires a complete reload every time because Twitter limits both the same way to a maximum of 150 requests per hour (http://apiwiki.twitter.com/Rate-limiting). Sure, if you try it yourselfe, you can just reload the page as fast as you want, but after doing this 150 times, you will see that by as you said 6 times a minute you will be blocked for the rest of the hour after reloading so often for 25 minutes! (150/6=25)

      Now tell me: How do you want to control your computer with your program if your twitter account is blocked?

      You didn’t really listen to what your math-teacher in school told you, did you?

  • Martin

    I really like the way this episode was shot and edited. My favorite part was the GoToMyPC ad/tip. What’s up with the audio on that gamefly spot, though? Snubs still needs a better mic, but it’s nice to see Kerby again. 🙂

  • charles

    Tweetmypc is pretty cool. I made a sniffer dump 😉 what!? .bat throwing it out to a .txt file. Tweet the command and bam a little network ultility on the go. Thanks again guys very useful here at work.

  • ElDiPablo

    Great episode as always! Sorry to hear about your job Darren, but I am excited to see you try to do Hak5 full time! I also wanted to say thanks for the Windows 7 login tip Snubs mentioned in the GoToAssist spot.

  • soupman

    Shame about being laid of Darren, mad respect for keeping the show alive and doing it full time. Segment about CWsandbox was awesome, gunna try that out 🙂 And snubs, very impressed, you actually found a legitimate use for twitter 😉

    Keep up the good work guys, peace 🙂

  • Bucko

    Very useful information about CWSandbox, like a lot of people I’ve dabbled with Virtualbox and Wireshark for checking out Malware but that service makes it easier and safer.

    For those of us who haven’t been watching the show that long, the other service Darren mentioned was http://www.virustotal.com/

    A while back I heard a rumour that some malware could break out of a VM and infect the host OS, has that ever actually happened in the wild to anyone’s knowledge?

  • soupman

    @xenomorph150 & Mark

    I’m guessing something by pronobozo, does most hak5 theme music. Youtube failed me so I dunno though ¯\(°_o)/¯

  • xenomorph150

    i did check his stuff and the stuff from the “codergirl” writter… but i got nothing from this… ^^’.
    so… any other idea? XD

  • sloth2slow

    TweetMyPC seems really cool, but wouldn’t it be better, at least from a security perspective, if all PC related info was sent to gmail, instead of twitter. For instance, the ip command. Do you really want to post your ip for the world to see?

    Wouldn’t it be better if that information went to gmail instead? Or at least have a ipToEmail command?

    Also, just wanted to say that you guys are my favorite information show online. However, with the last couple of shows, I’m getting the feeling that the content is getting less in depth. I would much prefer that the content got more hard core. Everytime I launch Hak5, I’m excited, because I’m expecting to learn something.

    eh, maybe I’m just being paranoid. anyway . . . love the show.

    • Darren

      While I’ll agree the last few shows haven’t been as in depth as usual, don’t count Hak5 out just yet. This season is one of a crazy transition and it’s going to take some time to find a balance that works. Stick with it. 🙂

  • xenomorph150

    You should NEVER use your “own” Twitter Account for TweetMyPc.
    Do create an dedicated one and check the Private Settings in the Twitter Options. That way, only invited Ppl can read the Tweets you send – for example your Commands or the Responses to that. Adds an big Ammount of Security. And by the way, you should maybe even create an own Gmail Account for that Occasion and use “real” Passwords and not such “password”, “admin”, “0123456789” stuff ;-)…

    On the other hand: Excellent, I love TweetMyPc, I have some bad firewall situation and need an SSH Tunnel to my Work PC – I thought about Reverse SSH (which would be an cool idea for some next show ;-)) – but did not found an way to trigger that – as I did not wanted to have an “always online” Connection to my Gateway. But with TweetMyPC I found an easy solution. Thanks Hak5 for delivering the right Info on time ;-).

  • sloth2slow

    Yeah, Snubs explained using the alternate account very well. I got that. Just forgot that you could make twitter private. Seems to go against the grain of the whole app, but it’s perfect for something like this. Thanks. 🙂

  • Nox365


    Even though I now realize that TweetMyPC is far better than any program I can make, I am continuing my project just for fun. For those of you who did not see my last post, the idea was to get tweet updates through screen-scraping instead of through Twitter’s API.
    The reasons this would be good are:
    – The program doesn’t need your password
    – It can get updates at faster intervals
    – It is against Twitter’s terms of service…
    – …so therefore it is funner
    But there are also the bad things:
    – It takes more CPU
    – You can’t use a private account
    – It is less reliable

    Again, I will attach what I have so far. It is still in super rough shape and I am only in high-school so my coding skills are, shall we say, less than exemplary.(Basically it’s pretty sloppy.)
    However, if you are interested at all, I will include the .exe and the C# source so you can see what’s going on.
    Please comment, or email me, if you have suggestions/criticisms.
    At least let me know if I’m making a fool of myself.


    (BTW: Only tested on my WIN-XP and you need .NET framework installed)

  • Pingback: Logon UI Background Changer Revisited | Josh Erickson

  • ChristeneSKudrna

    Hi there, I discovered your site by means of Google even as searching for a
    similar matter, your site came up, it seems to be great.
    I have bookmarked it in my google bookmarks.
    Hi there, simply turned into alert to your blog via Google, and found that it is truly informative.

    I am gonna be careful for brussels. I’ll appreciate if you happen to proceed this in future.
    A lot of other people shall be benefited out of your writing.

  • pure forskolin extract

    Hello are using WordPress for your blog platform? I’m new to the blog world but I’m trying to get started and create my own. Do you need any html coding knowledge to make your own blog?
    Any help would be really appreciated!

  • AhmedPMcquaide

    You really make it appear really easy along with your
    presentation however I find this matter to be really something which I
    feel I might never understand. It seems too complex and extremely broad for me.
    I’m looking forward for your subsequent put up, I’ll try
    to get the hang of it!

  • BoyceBEagy

    I was suggested this website via my cousin. I am
    not sure whether this publish is written by him as no one else recognize such particular about my problem.
    You are amazing! Thanks!

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>