Signatures Error in recent version of cuckoo..

[Shiza-Hasan]

I get clone of cuckoo today from GitHub repository with recent commits, I updated signatures repository using ./utils/community.py command. But facing following error during analysis of a malware sample:

2015-08-17 16:27:39,780 [lib.cuckoo.core.plugins] WARNING: Cuckoo signature style has been redesigned in cuckoo 1.2.This signature is not compatible: packer_vmprotect.
2015-08-17 16:27:39,780 [lib.cuckoo.core.plugins] ERROR: Failed to run signature "persistence_ads":
Traceback (most recent call last):
  File "/home/aserg/new/cuckoo/lib/cuckoo/core/plugins.py", line 351, in process
    if current.run():
  File "/home/aserg/new/cuckoo/modules/signatures/persistence_ads.py", line 27, in run
for file_path in self.results["behavior"]["summary"]["files"]:
AttributeError: 'ADS' object has no attribute 'results'
2015-08-17 16:27:39,781 [lib.cuckoo.core.plugins] ERROR: Failed to run signature "persistence_autorun" "

Cuckoo gives warning for all signature files, I used same signatures with previous version of cuckoo and were ok.

[jhg]

Yara version is 2.x or 3.x?

[Shiza-Hasan]

Yara version is 1.6.

[liebesu]

I met the same problem yara is 2.x

[brad-sp]

Signatures were broken by this commit: https://github.com/cuckoobox/cuckoo/commit/5d209a40dd67ad5713c9a95cf2a4d434c5a85928

Either some backward compatibility would need to be added, or all the signatures using self.results need to be updated to use self.get_results()

[jbremer]

In addition to @brad-accuvant's comment I'd like to state that signatures have yet to be revived in the master branch. It's on our todo list for the short term though.

[dewiestr]

Even changing self.results by self.get_results(), all signatures remain broken:

ERROR:lib.cuckoo.core.plugins:Failed to run signature "bot_athenahttp": Traceback (most recent call last): File "/opt/cuckoo/utils/../lib/cuckoo/core/plugins.py", line 351, in process if current.run(): File "/opt/cuckoo/utils/../modules/signatures/bot_athenahttp.py", line 37, in run subject = self.check_mutex(pattern=indicator, regex=True) File "/opt/cuckoo/utils/../lib/cuckoo/common/abstracts.py", line 926, in check_mutex subject=self.get_mutexes(), File "/opt/cuckoo/utils/../lib/cuckoo/common/abstracts.py", line 913, in get_mutexes for process in self.get_processes_by_pid(pid): File "/opt/cuckoo/utils/../lib/cuckoo/common/abstracts.py", line 817, in get_processes_by_pid for item in self.get_results("behavior", {}).get("processes", []): File "/opt/cuckoo/utils/../lib/cuckoo/common/abstracts.py", line 790, in get_results return self._caller.results.get(key, default) AttributeError: 'dict' object has no attribute 'results'

[dewiestr]

Could it be that this is the problem:

In lib/cuckoo/core/plugins.py

        for sig in evented_list:
            try:
                sig.run()
            except AttributeError:
                pass
            else:
                log.warn("This signature is still old-style. Removing it: %s", sig.name)
                evented_list.remove(sig)

The exception will never occur seeing as the Signature Class has a predefined run()...

[jbremer]

I guess you're referring to the code that was introduced quite recently by this commit 852ba54180011fe5465432426cf7144b752acd3a? Regardless, as mentioned signatures is one of the few things left to fix before we can do an alpha or beta 2.0 release, so it's high on our todo list. If in the meantime you get to do proper fixes that'd be great, though!

[botherder]

Closing as signature engine is currently under development.