Buster Sandbox Analyzer

Discussion in 'other anti-malware software' started by Buster_BSA, Nov 29, 2009.

Thread Status:
Not open for further replies.
  1. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    Hi.

    I would like to announce the release of Buster Sandbox Analyzer.

    Buster Sandbox Analyzer, or BSA to short it, is a security tool focused in analyzing the behaviour of applications and evaluate the performed actions to say if they act like malware or not.

    It works in a similar way to Norman Sandbox Analyzer, but meanwhile Norman´s tool performs the analysis emulating the analyzed programs, BSA uses Sandboxie as environment to run applications.

    Other difference would be that Norman performs the analysis without human intervention meanwhile with BSA is the user who runs manually the applications to be analyzed. This has some benefits and some inconvenients.

    As benefits we could say that BSA can analyze any type of "application", from executable files, to DOC, XLS, PDF, VBS, BAT, or any other kind of file that can be "executed". Also if an application requires user actions like press a button or accept an agreement this will be possible meanwhile in Norman Sandbox Analyzer (and some other malware analyzers too) this will not be possible.

    As inconvenient BSA is unable to analyze automatically large amount of files. Also we must consider that if we don´t take the necessary measures, information from the computer where BSA is being run could leak to Internet.

    Other important question is that BSA is freeware. You only must pay Sandboxie´s license which is pretty cheap.

    These and other questions are commented in the manual of BSA.

    You can follow the development of the tool here:

    http://sandboxie.com/phpbb/viewtopic.php?t=6557

    You can download the tool from here:

    -http://bsa.qnea.de/bsa.rar-


    Even if actually Buster Sandbox Analyzer is working as expected in many aspects, it must be said that the project was initiated recently. Therefore the tool still needs improvements and testing until it reachs a certain point of excellence.

    I hope some of you will be interested in the tool and from that people, some will be interested in helping to improve it with suggestions, tests, etc.

    Regards.
     
    Last edited by a moderator: Nov 29, 2009
  2. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    Two examples of the analysis and reports produced with Buster Sandbox Analyzer.

    Email-Worm.Win32.NetSky.p

    Analisis:

    Detailed report of suspicious malware actions:

    Defined file type copied to Windows folder: D:\WINDOWS\AVBgle.exe
    Defined registry AutoStart location added or modified: machine\software\microsoft\Windows\CurrentVersion\Run\MSInfo = D:\WINDOWS\AVBgle.exe
    Internet connection: Connects to "212.27.42.58 (free.fr)" on port 25.
    Internet connection: Connects to "72.14.221.27 (1e100.net)" on port 25.
    Internet connection: Connects to "64.12.138.153 (aol.com)" on port 25.
    Internet connection: Connects to "72.167.238.201 (secureserver.net)" on port 25.
    Created an event named: E4162AEC-7EEF-4ea6-8FB5-E2B6A3CE3504

    Report:

    [ Changes to filesystem ]
    * Creates file D:\WINDOWS\AVBgle.exe
    * Creates file D:\WINDOWS\base64.tmp

    [ Changes to registry ]
    * Deletes Registry key HKEY_LOCAL_MACHINE\software\Classes\clsid\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
    * Creates value "MSInfo=D:\WINDOWS\AVBgle.exe" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run
    * Modifies value "SavedLegacySettings=3C00000044000000010000000000000000000000000000000400000000000000A04E57F7782DCA0101000000C0A800040000000000000000" in
    key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\ Internet Settings\Connections old value "SavedLegacySettings=3C00000043000000010000000000000000000000000000000400000000000000A04E57F7782DCA0101000000C0A800040000000000000000"

    [ Network services ]
    * Looks for an Internet connection.
    * Connects to "212.27.42.58 (free.fr)" on port 25.
    * Connects to "72.14.221.27 (1e100.net)" on port 25.
    * Connects to "64.12.138.153 (aol.com)" on port 25.
    * Connects to "72.167.238.201 (secureserver.net)" on port 25.

    [ Process/window information ]
    * Creates a mutex Bgl_*L*o*o*s*e*.
    * Creates a mutex _!MSFTHISTORY!_.
    * Creates a mutex d:!documents and settings!test!configuración local!archivos temporales de internet!content.ie5!.
    * Creates a mutex d:!documents and settings!test!cookies!.
    * Creates a mutex d:!documents and settings!test!configuración local!historial!history.ie5!.
    * Creates a mutex RasPbFile.
    * Creates an event named "E4162AEC-7EEF-4ea6-8FB5-E2B6A3CE3504".


    P2P-Worm.Win32.Goldun.a

    Analisis:

    Detailed report of suspicious malware actions:

    Defined file type copied to Windows folder: D:\WINDOWS\system32\mcfCC4.dll
    Defined file type copied to Windows folder: D:\WINDOWS\system32\mcfdrv.sys
    Defined registry AutoStart location added or modified: machine\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4\DllName = 6D00630066004300430034002E0064006C006C000000
    Defined registry AutoStart location added or modified: machine\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4\Startup = mcfCC4Sta
    Defined registry AutoStart location added or modified: machine\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4\Impersonate = 01000000
    Defined registry AutoStart location added or modified: machine\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4\Asynchronous = 01000000
    Defined registry AutoStart location added or modified: machine\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4\MaxWait = 01000000
    Defined registry AutoStart location added or modified: machine\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4\key4 = [36590096273976988461[Test]
    Defined registry AutoStart location added or modified: machine\SYSTEM\CurrentControlSet\Services\BusterSvc\SandboxedServices = mcfdrv
    Defined registry AutoStart location added or modified: machine\SYSTEM\CurrentControlSet\Services\mcfdrv\Type = 01000000
    Defined registry AutoStart location added or modified: machine\SYSTEM\CurrentControlSet\Services\mcfdrv\Start = 01000000
    Defined registry AutoStart location added or modified: machine\SYSTEM\CurrentControlSet\Services\mcfdrv\DisplayName = MCFservice
    Defined registry AutoStart location added or modified: machine\SYSTEM\CurrentControlSet\Services\mcfdrv\ImagePath = D:\WINDOWS\system32\mcfdrv.sys
    Detected backdoor listening on port: 4050
    Created a service named: MCFservice
    Created an event named: E4162AEC-7EEF-4ea6-8FB5-E2B6A3CE3504

    Report:

    [ Changes to filesystem ]
    * Creates file D:\WINDOWS\system32\mcfCC4.dll
    * Creates file D:\WINDOWS\system32\mcfdrv.sys

    [ Changes to registry ]
    * Creates value "DllName=6D00630066004300430034002E0064006C006C000000" in key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4
    * Creates value "Startup=mcfCC4Sta" in key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4
    * Creates value "Impersonate=01000000" in key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4
    * Creates value "Asynchronous=01000000" in key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4
    * Creates value "MaxWait=01000000" in key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4
    * Creates value "key4=[36590096273976988461[Test]" in key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4
    * Creates value "SandboxedServices=mcfdrv" in key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BusterSvc
    * Creates value "Type=01000000" in key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mcfdrv
    * Creates value "Start=01000000" in key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mcfdrv
    * Creates value "DisplayName=MCFservice" in key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mcfdrv
    * Creates value "ImagePath=D:\WINDOWS\system32\mcfdrv.sys" in key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mcfdrv

    [ Network services ]
    * Backdoor functionality on port 4050.

    [ Process/window information ]
    * Creates a service named "MCFservice".
    * Creates an event named "E4162AEC-7EEF-4ea6-8FB5-E2B6A3CE3504".
     
  3. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Thanks for posting here, I look forward to trying it out:)

    Although I already use a local sandbox, be nice to try out another tool. One online sandbox I've be trying - joebox - is still down.
     
    Last edited: Nov 29, 2009
  4. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    It´s required to read the manual before using the tool because Sandboxie must be configured in order to get it working along with BSA.
     
  5. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Okay thanks, I imagined access settings must be configured so I'll have a read.
     
  6. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    That´s right.

    It´s a pretty simple configuration: just 2 lines added to Sandboxie.INI.

    In one line we tell Sandboxie to inject the API logger DLL to every sandboxed process.

    In other line we allow the communication from sandboxed processes to BSA tool through Sandboxie´s OpenWinClass parameter. That way BSA is able to receive notifications.
     
  7. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Looks a nice tool. Not limited to internet or automated. Any 'drawbacks' I suppose are tied to sandboxie limits.
     
  8. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    Between some of my favourite features are that two you mention: not limited to internet and not automated.

    The tool is "yours". You can have it installed in as many computers as you want and you can use it when you want, without any restrictions.

    As not being automated, analysis can be improved if the user has the appropiated knowledgment. e.g. you can run a sniffer to capture transmitted packets. Users can make better and more accurate the tool by theirself.

    As you mention and it´s commented in the manual, BSA is limited by Sandboxie´s limits and my own limits as coder.
     
  9. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    okay thanks Buster - time for a play.
     
  10. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    Come back here after you play with it and leave your comments, please.

    I´m still waiting to hear the comments from someone that tried it.
     
  11. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Hi Buster it's a good tool and works well with and was a good idea to utilize Sandboxie. :)

    Not comparing your tool with any other but I thought it would remind me a little of SysAnalyer.

    Very easy to use, will you add your own monitors - a sniffer...servers, DNS requests, process analyser.

    Logging is good, I would of liked an overall report combining everything also.

    I like it.:thumb:
     
  12. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    From SysAnalyzer I used the API logger into my project but even if I have SysAnalyzer installed in a virtual machine, I never used it, therefore I don´t know if my tool reminds to it or not.

    The report format is a copy of Norman´s so it will remind to it. ;)

    My plan for the tool is to continue adding malware behaviours. A sniffer is not in my plans because that´s something a user could include by himself.

    I decided to separate the different report files on purpose because, as commented in the documentation, Buster Sandbox Analyzer may be used by Sandboxie´s users just to get a report of the changes made to system: files and registry.

    Glad you liked it!

    If you notice some malware behaviour not included already I´ll be really interested in hearing about it. At the moment that´s the most important aspect to improve in the tool.
     
  13. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    Did you ever have the chance to try Norman Sandbox Analyzer?

    I know that´s not much likely due it´s very restricted to professionals.
     
  14. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    My comments are all positive

    :)

    Sure. I do strive to be professional, they let me in ;) :)
     
    Last edited: Nov 29, 2009
  15. BrendanK.

    BrendanK. Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    520
    Location:
    Australia
    Very nice! :D I am going to use it very often :)
     
  16. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    I´m glad you like it.

    If you miss anything just let me know.
     
  17. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
  18. pidbo

    pidbo Registered Member

    Joined:
    Dec 25, 2006
    Posts:
    198
    Hi Buster
    small typo on http://bsa.qnea.de/
    "Analisis and report examples" should say Analysis in English

    best wishes

    pidbo
     
  19. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    Ok, thank you! ;)
     
  20. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    406
    I tried your app & it performed as described.
    Although I admire your programming effort, I wonder why are you reinventing the wheel?

    the freely available SysInternals Process Monitor utility
    http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
    provides comprehensive reporting, can be set to run at boot (to monitor post-reboot operations by an installer, for instance) and isn't dependent upon the presence of sandboxie.

    The "Tools" dropdown in the Process Monitor menu enables you to generate various drill-down reports:
    Tools -} Process Activity Summary
    Tools -} File Summary
    Tools -} Registry Summary
    Tools -} Stack Summary
    Tools -} Network Summary
    Tools -} Cross reference Summary
    and prior to creating SaveAs output, you can sort columns and/or filter the data within the live gridview.

    ps: check out the handy Process Monitor commandline options
     
  21. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Well to me it adds value to Sandboxie, allows user configuration, provides enthousisasts a all in one tool to play with (in stead of configuring a VM set up)


    Ehh on the wish list: pre and post difference of for instance autoruns output
     
  22. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    inka: I just pretend to approach the malware analysis to non advanced users.

    Meanwhile Buster Sandbox Analyzer is a malware analyzer for non advanced users, Process Monitor (if we can consider it as a malware analyzer) is not a tool for non advanced users.

    Do you imagine your wife, your girlfriend, or your sister learning to catch malwares using Process Monitor? Maybe, but with a lot of work. Instead I could teach them to catch malwares with Buster Sandbox Analyzer in a few hours.

    That´s the difference.

    Advanced users can use Process Monitor, as commented in the manual, to improve malware analysis.
     
  23. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    I don´t follow you. Could you explain it, please?
     
  24. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    I must try this, be good for looking at the behavour of malware samples
     
  25. acuariano

    acuariano Registered Member

    Joined:
    Nov 4, 2005
    Posts:
    786
    avira detected buster as a TR-DOWNLOADER TROJAN.
     
Loading...
Thread Status:
Not open for further replies.