Buster Sandbox Analyzer

[Buster_BSA]

Released Buster Sandox Analyzer 1.09.

Change list:

Added File Signatures feature
Updated LOG_API library

File Signatures provides information about the packer, if any, used to compress a file or the compiler used to build it.

[Cadillakin]

A big thank you to Buster for this analyzer..

I was shopping on Usenet for some tax software... I found it and ran it in the sandbox.. As is my practice, I explored the installed files. Everything worked well.. No obvious signs of infection. No writing to windows.. No start/run entries... No files created in temp folders. But I still wasn't satisfied. I used Buster's program and reran the install...

The program logs were literally laced with created events, dns queries to Russia.. and many hidden processes.. Needless to say, I kept it in the sandbox. What's most interesting to me is that there were many users commenting on this app in Newzbin that their scanners showed it clean... There are perhaps hundreds of users with the finest AV apps money can buy.. and they downloaded, installed and asserted it was clean.

It seems some of the bad guys aren't laying obvious eggs for the scanners to discover...

[ronjor]

Quote:

I was shopping on Usenet

The Usenet is not a good place to shop. It's way too easy to acquire unwanted results there.

[Buster_BSA]

Buster Sandbox Analyzer 1.10 has been released.

As usual it can be downloaded from http://bsa.qnea.de

Last additions: File Hash, File Strings and some other stuff.

New features will help malware analyzers in their work.

[Franklin]

Haven't commented on Buster Sandbox Analyzer as yet and all I can say is brilliant. Thanks Buster.

[Buster_BSA]

Thank you very much for your kind comment, Franklin!

[Buster_BSA]

Quote:

Originally Posted by Meriadoc

Very easy to use, will you add your own monitors - a sniffer...servers, DNS requests, process analyser.

A sniffer was included in version 1.08.

It checks for DNS requests, it captures FTP´s login/passwords, you can view packet data, etc.

I hope the feature fullfilled your needs. If not just let me know your throughts.

Regards.

[Buster_BSA]

Released Buster Sandbox Analyzer 1.11.

Change list:

Added File Hex Editor.


Version 1.11 includes a built-in hex editor.

[Buster_BSA]

Released Buster Sandbox Analyzer 1.12.

Change list:

Added File Scanner.


Version 1.12 includes a feature to submit files to VirusTotal to be scanned.

[xXDarkStalkerxX]

Amazing software , thanks Buster.
Does it works in x64?

[Buster_BSA]

Quote:

Originally Posted by xXDarkStalkerxX

Amazing software , thanks Buster.
Does it works in x64?

You´re welcome!

Works in x64? Good question!

I don´t know because I only have x86 machines, but I guess it will not be fully supported because I must make a x64 version of LOG_API. Maybe the rest is working fine, but as I say, don´t know for sure.

I´ll ask someone with a x64 system to test it for me and I´ll be back to you as soon as I have a reply, ok?

[xXDarkStalkerxX]

Quote:

Originally Posted by Buster_BSA

You´re welcome!

Works in x64? Good question!

I don´t know because I only have x86 machines, but I guess it will not be fully supported because I must make a x64 version of LOG_API. Maybe the rest is working fine, but as I say, don´t know for sure.

I´ll ask someone with a x64 system to test it for me and I´ll be back to you as soon as I have a reply, ok?

Ok !

[Buster_BSA]

nick s, from Sandboxie´s forum, has been so nice to test BSA in a x64 system. He tells me BSA works fine in the platform.

There are only two things not working in 64-bit, but I was expecting that: LOG_API.DLL and the driver to hide Sandboxie.

That two misses mean next things:

* BSA will miss some functionalities to detect malware behaviour

* Sandboxie can not be hidden


A 64-bit version of the DLL may be coded but it´s not a trivial task, at least for me. If someone has the knowledge to make the conversion I would send him the source code of LOG_API.

[Buster_BSA]

Good news. Next Buster Sandbox Analyzer will contain an updated version of LOG_API library.

With the new version will be possible to analyze properly 32-bit malwares under a x64 system.

[Buster_BSA]

Released Buster Sandbox Analyzer 1.13.

Change list:

Added Process Explorer
Fixed bugs in Buster Sandbox Analyzer and LOG_API library

[Buster_BSA]

The LOG_API library contained in version 1.13 works fine with Sandboxie x64, this means Buster Sandbox Analyzer will work properly in 64 bits systems.

The limitations under 64 bits systems are:

* The driver to hide processes will not work therefore Sandboxie is "visible" to malwares.

* LOG_API library works with 32 bits malwares, not with 64 bits. At the moment this doesn´t represent a problem because there are no 64 bits malwares.

[Buster_BSA]

Meriadoc: In version 1.13 I included "Process Explorer", a process viewer, dumper, ...

You had asked a process analyzer. What I included, is what you had on mind? If not, what could be added?

[Buster_BSA]

Released Buster Sandbox Analyzer 1.15:

Change list:

Added Memory Explorer feature
Updated BSA.DAT
Updated LOG_API library
Updated Buster Sandbox Analyzer
Fixed a bug in Buster Sandbox Analyzer

[Buster_BSA]

There is a new URL to reach Buster Sandbox Analyzer web site:

http://bsa.sandboxie.info

I think that´s easier to remember than bsa.qnea.de.

[Meriadoc]

With the additions it must be time to have another look at BSA.

[Buster_BSA]

Meriadoc: Yes, it would be a good time for a new review.

I will release BSA 1.16 soon and it will contain the last feature I had planned to include.

Next versions will be more spaced in time and will fix bugs mainly.

I feel like I released first version of BSA a long time ago, but it was just four months since first release.

[lordraiden]

Quote:

Originally Posted by Buster_BSA

Meriadoc: Yes, it would be a good time for a new review.

I will release BSA 1.16 soon and it will contain the last feature I had planned to include.

Next versions will be more spaced in time and will fix bugs mainly.

I feel like I released first version of BSA a long time ago, but it was just four months since first release.

What's will be new in 1.16?

[apathy]

BSA is a great addon for Sandboxie.

I ran some 0day malware and it tracked everything.
I'd like to see some sort of hook into Sandboxie so I can start BSA with a right click on Sandboxie. I saw something like that in BSA but it didn't work for me.

Excellent application.

[Buster_BSA]

Quote:

Originally Posted by lordraiden

What's will be new in 1.16?

Maybe you know Sandboxie stores the changes done to Windows registry by sandboxed applications in a file named "RegHive"

In 1.16 I will add "Reg Hive Explorer", a feature to visualize the contents of Sandboxie RegHive files.

There are other reghive viewers but this one will be the only one in the world specifically designed for Sandboxie.

[Buster_BSA]

Quote:

Originally Posted by apathy

BSA is a great addon for Sandboxie.

I ran some 0day malware and it tracked everything.
I'd like to see some sort of hook into Sandboxie so I can start BSA with a right click on Sandboxie. I saw something like that in BSA but it didn't work for me.

Excellent application.

Thanks for the kind words!

Do you mean you tried "Options -> Windows Shell Integration -> Add right-click ..." and that it didn´t work?