Buster Sandbox Analyzer

acuariano: I know. It has been commented in Sandboxie´s forum already.

http://sandboxie.com/phpbb/viewtopic.php?t=6557&start=30

 

Avira's over enthusiastic heuristics(?)

Hash?

 

If anyone is suspicious about the DLL the source code is included in the package, so it can be compiled for peace of mind.

At the moment I will not submit the DLL and request the fix of the false positive because I will modify the DLL so probably it will be detected again.

 

Buster is building a Malware Analyzer (Volkswagen) for the masses.

Fahrvergnügen

Oh my.

Is this dangerous?
Can malwares leverage this to circumvent discovery?

 

Is Avira using Ikarus engine? It burps false positives ridiculously often. Try uploading a few of the nirsoft.net freeware utility executables to VirusTotal.com & note that Ikarus and F-protect repeatedly "recognize" the utils as malware. They seem to choke (I personally can't forgive it as "playing it safe") on any packed executable file, as well as on any app that employs AutoIt scripting.

Buster, I doubt anyone reading this thread actually suspects your dll contains malware, so I hope you aren't taking it personally (the false positive report).

 

Yes, as consequence of Sandboxie not being able to sandbox certain files, the analysis can not be performed.

Anyway the % of files that Sandboxie is unable to sandbox is pretty small, therefore in most cases the malware analysis can be done.

 

inka: Don´t worry, I don´t take it personally.

 

Searching: You can read this topic to know more about that kind of files:

http://www.sandboxie.com/phpbb/viewtopic.php?t=4367

 

I have Thought up a slogan:

If we can't inject, we don't protect!

Not sure how babelfish will scramble it though, it rhymes in english.
Assuming you are using translate 2 ways.

Thanks for the link.

 

Searching: I think it´s possible to circumvent that problem.

In first place you should sandbox a loader, something like OllyDbg, and then load the problematic file from OllyDbg and let it run from there. I think something like that should work.

If you find a problematic file you know what to do.

 

Released Buster Sandbox Analyzer 1.02.

Change list:

Added MD5, SHA1 and SHA256 hashing when file to process is specified

Added custom registry entry checking

Added a feature to check for updates

Fixed a few bugs in Buster Sandbox Analyzer

Fixed a bug in LOG_API library

 

I have added a feature that let users to add their own registry entries and a reason of why they were included.

Like this:

[Custom_Registry_Entries]
machine\software\microsoft\Windows\CurrentVersion\policies\system\DisableRegistryTools<->Disable Registry Tools
user\current\software\Microsoft\Internet Explorer\Main\Start Page<->Change start page

Does anyone have a list of typical registry modifications performed by malwares? Just like changing start page, disable Windows´firewall, etc.

 

Would a list of of typical reg mods help you to catch atypical reg mods?
or
Would this help you determine malware type by saying "it behaves like..."?

http://www.forensicfocus.com/downloads/forensic-analysis-windows-registry.pdf
Maybe this would help.

 

I want a list of typical registry changes done by malwares like change start page, disable firewall, disable Windows update, etc.

 

Released Buster Sandbox Analyzer 1.04.

Change list:

Added support for network shares

Added a feature to allow wildcards in BSA.DAT

Added a feature to ignore when sandbox folder is not empty

Added a feature to check for updates on start

Updated LOG_API library

 

In the PDF, it is explained what they can be used for, sometimes stating malwares like...do this.

Can't BSA compile it's own DB? User of BSA can choose to share with Buster.

What is scary:

http://www.forensicfocus.com/index.php?name=Content&pid=73&page=6
Go ahead, erase the .sys, .exe, .dll. We be back.

 

Released Buster Sandbox Analyzer 1.05.

Change list:

Added "Assorted suspicious actions"

Fixed several bugs in Buster Sandbox Analyzer

Updated LOG_API library

 

nice work

 

Ditto. (I have Avira as on-demand)

Something's not right here. This could possibly be an exploit attempt on Sandboxie (but I'll remain subjective on the matter)

 

Anyone can send the binary to Avira so they can confirm the detection is good or a false positive.

 

You can set Internet Explorer to exclude comrpessed files (included in URI's) when you have XP/Vista/Windows Pro (you need Group Policy Editor for that).

In the Anti Virus forum there is a fun article which Sjoeii posted https://www.wilderssecurity.com/showpost.php?p=1595467&postcount=82

I guess due to the stronger OS-ses, the attack will focus on social engineering more than theoretical, very hard to program staged entries. Malware has the same issue as flying, although it is safer than driving a car. most people have more fear for flying than driving cars. Social engineering focusses on just that, the user is in the driver seat (allowing access, because they are tricked in to allowing), so these social engineering attacks will occur more than brute, staged exploits. MEan while the media buzz is about airtravel incidents (the staged attacks we do not understand, hence have no grip on, like the aircraft which is flown by the pilot). IMO - I would not worry to much about it.

Regards Kees

 

Buster Sandbox Analyzer 1.06 has been released.

 

Released Buster Sandbox Analyzer version 1.07

Change list:

Added detection of new malicious activities
Updated BSA.DAT
Updated LOG_API library

 

Maybe some people didn´t notice that actual version of BSA is able to analyze Sandboxie-aware malwares. That´s an interesting feature added on previous version.

 

Released Buster Sandbox Analyzer 1.08.

Change list:

Added a packet sniffer
Updated BSA.DAT
Updated LOG_API library