Introducing: Tycho Malware Forensics Suite

Posted on May 17, 2018 by Tor Lund-Larsen

The Cyberus Tycho Malware Forensics Tool is now available for purchase.

Tycho is a uniquely powerful malware forensics tool suite which aids and expedites the work of manual malware analyst and software reverse engineers – a malware debugger on steroids.

The official Tycho Logo

Tycho Overview

Tycho is undetectable by default through full OS virtualization/encapsulation leaving no artifacts, files or agents in the target system which the malware can identify.

Tycho offers Semantic Breakpoints allowing analysts to design and configure own advanced “behavioral” breakpoints during the analysis based on unique know-how and experience as to how malware works.

Tycho enables a super-fast learning curve through seamless integration with existing reverse engineering tools such as IDA Pro and Volatility while enhancing these tools with better controls and new powerful capabilities.

Tycho supports faster work processes and retention of past learnings through a full-blown Python automation API.

Getting Started

The Tycho setup consists of two computers; an analyst system and a target system connected over a dedicated communication channel (Serial or AMT). The analyst system hosts the debugger tools, while the target system runs an unchanged Windows 7 (64-bit) operating system hosting the malware under analysis. The SuperNOVA Virtual Machine (VM) runs underneath the Windows OS on the analysis platform.

Tycho System Setup
Tycho System Setup

The heart of the analyst system side of Tycho is the Tycho Server, which manages the connection to the target system." The Tycho Server enables an Analyst to seamlessly interact and control the Tycho Introspection engine running on the remote target System allowing forensics analysis on malware without the risk of contamination of the analyst platform.

Tycho Communication Channel
Tycho Communication Channel

Why Tycho?

Comprehensively Stealthy and Undetectable

Tycho is for all practical purposes undetectable by malware because the target OS, unlike in a Virtual Box or other virtualization environment, is 100% unchanged. The OS contains no artifacts, agents, files or other identifier that a malware can use to detect that it is in running in a sandbox or debugger environment.

As a consequence, malware always executes its malicious payload and the analyst saves the time and effort it takes to patch the malware until it executes.

Tycho achieves this stealthiness because of SuperNOVA - a tiny pass-through hypervisor operating system which virtualizes and encapsulates the complete OS, the applications and with it also the malware under analysis.

Full System Encapsulation
Full System Encapsulation

Enables efficient code disassembly through custom Semantic Breakpoints

Semantic Breakpoints, enabled by the SuperNOVA Virtual Machine Introspection engine, allow the analyst to use their experience to define and set behavioral or semantic high-order break-points to stop the program execution at a desired point. This prevents endless and time-consuming searches of the program code to find the right code entry point.

Analysts can compile their own rulesets/semantic breakpoints from their own knowledge that can then be shared among analysts and also quickly be used for automation of tasks that were previously regarded as tedious. This way, Tycho enables the analyst to tap into his own contextual knowledge of how malware must or should work, putting the analyst competence and creativity in charge of the tools rather than the opposite.

Crossing the Semantic Gap
Crossing the Semantic Gap

Enhances standard forensics tools

Tycho interacts seamlessly with all standard debuggers and memory forensics tools such as IDAPro and Volatility, Radare etc., ensuring that the work environment that malware analysts and first responders know (and love) is unchanged except that new tools and capabillities have been added to the tool suite.

Tycho enhances the power of existing cyber forensics tools which every malware analyst already has.

Tycho Tools Ecosystem
Tycho Tools Ecosystem

Easy learning curve

Given that Tycho interoprates through a GDB interface with all malware forensics standards, there is almost no learning down-time. All you have to do is install Tycho and immediately your existing tool box has new and enhanced capabillities.

Provides easy-to use analysis process Automation through Python API.

Tycho enables the analyst/incidence responder to focus on the real forensics work by providing a range of options to Automate away all repetitive analysis steps through a full-blown Python API.

We already blogged about early tech previews of the Python API. See for example, how to…

Made in Germany, Open Source Pass-Through Hypervisor

Tycho is based on NOVA, an open source microkernel hypervisor developed in Germany.

Tycho Installation & Set-up Requirements

Installing the Tycho malware forensics system is very easy whether you use Linux or Windows.

Although not required, for convenience, Cyberus Technology provides Docker images for both the analyst system and the target system. For the analyst system the Docker image contains all the software for the Tycho Server and handles the communication between the two hardware system.

For the target system please note that the SuperNOVA virtualization platform boots before Windows, thus booting happens over network with a preconfigured DHCP and TFTP server. Booting the target platform via USB stick is also possible.

You will get a ZIP file that contains the manual, the API documentation and example python scripts that demonstrate the Tycho API along with the software itself. Cyberus Technology provides detailed examples and a step-by-step guide for how to get started quickly with your setup.

Feedback from our trial customers suggests that the installation process is very easy and straightforward and usually completed in less than an hour.

To get going with the Tycho malware forensics suite the following hardware is required:

  • Your Analyst PC (Linux/Windows) onto which the Cyberus Tycho Server is installed.
  • Serial or AMT connecting analyst and target system
  • Target system: Intel VT-x capable hardware with Cyberus SuperNOVA virtualization platform and introspection. (Tycho 1.0 supports Intel NUC NUC5i5MYHE/NUC5i5MYBE, more systems coming soon)

Interested?

If you’d like us to send you a 15 day test licenses to try out the Tycho malware forensics suite, please contact our customer support team.