Norman SandBox with early detection of security risk created by DRM protected Sony

While antivirus companies are working hard to release an update to identify this malicious code that uses the rootkit automatically installed by some Sony CDs, Norman’s proactive antivirus solution, Norman Sandbox, already detected this software, classified as a potential security risk.
The Sony Software found on several of the company’s recent album, is triggered by playing one of the CDs in a PC. From the CD drive, the software installs itself deeply inside a hard drive and hides itself from the view. This technique can be used by virus writers to hide their own malicious software. It might also be a potentially dangerous spyware.

- This once again proves that the Norman Sandbox is the leading technology for detecting new unknown threats", says Kurt Natvig - Head of Norman Sandbox development.

 

Re: Norman SandBox with early detection of security risk created by DRM protected Son

They are not working hard to add the detection but rather working hard to find out if it is legal to detect and remove it.

 

Re: Norman SandBox with early detection of security risk created by DRM protected Son

I went and skimmed the white paper for Norman Sandbox (NS). It is a very interesting approach.

So is every executable run in NS before it is allowed to execute (each time it is run)? What about performance overhead?

If it's not executed each time within the sandbox, what's to prevent an application from "acting nice" the first couple times it's run to avoid detection?

Could an executable (say Sony's DRM) detect it is running in the NS environment in the following way: open a socket connection to a server controlled by Sony or First 4 Internet. Use an encrypted/authenticated challange/response mechanism to determine if it is really connecting to the server (not an emulated version). If it is connected, then continue to run... otherwise, do some benign actions to avoid detection until run outside the sandbox?

How would you classify a program that operated like this? It could be a harmless application (like Adobe Acrobat) phoning home to check for updates... or a "harmless" media player from Sony downloading the latest version of the EULA (which up until recently would have seemed relatively harmless)... or malicious code trying to avoid detection. How would NS sort this out?

The whole sandbox concept is very interesting to me, but I'm also very skeptical of it for the following reason: The sandbox is running within the environment (the OS) that it is trying to protect. Where is the root of trust? It can't be the OS, or else you wouldn't need the sandbox in the first place. The only viable long-term solution to this continual arms race seems to be scanning the system from the outside: the first thing that comes to mind is BartPE, but I'm sure there are many other ways to do it.

 

Re: Norman SandBox with early detection of security risk created by DRM protected Son

Sandbox technology is NOT used to scan every and each accessed file.
Also BitDefender and NOD32 use similar technology to identify new threats.

 

Re: Norman SandBox with early detection of security risk created by DRM protected Son

@ RejZor

I assume you were replying to my post... I know how sandboxes are used, I just have specific questions about Norman Sandbox. These questons were generated from the white-paper on their website.

[From their website]

"Because how can we spot any behaviour, regular or irregular, without actually testing the program? Well, no one can, but what we can do is to test the program in a secure environment separated from the production system of the company. We do this by using a computer emulator. Using emulators to test programs has been used for decades to test applications. What makes the emulator of the SandBox particularly useful is that it emulates a complete local network infrastructure, and it is run in a secure environment on a PC, without any connection or any risk of leakage to the production system."

I'm questioning the infallibility of the emulator ("without any connection or any risk of leakage"). I am curious about the system and the companies claims.

 

Re: Norman SandBox with early detection of security risk created by DRM protected Son

Kinda related:

http://yro.slashdot.org/yro/05/11/11/068222.shtml?tid=123&tid=172&tid=17

 

Hey Stefan, those are consequences that av/at or as companies have to face. I am PAYING you to get protected from the garbage like that.

If you guys have to face legal action then thats your problem. Its called business.


tD

 

There was a worm some time ago that detected when something was scanning it, going dormant to avoid AVs detecting it as malicious (does anyone remember the name?). It worked against many scanners, but NOD32's heuristics still detected it as malicious. Norman isn't the best AV you could choose, it's detection rates seem to be pretty average where other AVs that use the same techniques, like NOD32, are heads above the rest in this area (signature database notwithstanding). So yes, some are better than others, and none depend solely on this kind of sandboxing/virtual environment technology for detection. (Can't really say anything about BitDefender's heuristics, haven't heard much yet.)

I have never heard of anything escaping these virtual environments, however.. they generally know what they're doing enough to make it pretty much impossible (as close to it as possible, anyway). These environments probably don't have anything to do with Windows, which the malware would need. Any AV puts in a driver just above the file system driver. As any call is made to use the file system, the AV will intercept that call and scan it first, before letting it pass through. Generally, unless there is a vulnerability in the AV itself it's pretty much impossible to get through it if the AV can detect it as malware. There are tricks that they can do, however, to make it harder for AVs to recognize that the file is malware.

 

I'm thinking the same way.

Have at this moment some discussion with Kaspersky Lab, will see what the results of the discussion are.

Take a look here.

Like you said: we are PAYING to get protected from garbage like Sony's Rootkit, i will spend my money for licenses elsewhere when i'm not protected enough by a AV-program.