Help needed with analysis

Discussion in 'sandboxing & virtualization' started by zeroflag, Jul 6, 2014.

Thread Status:
Not open for further replies.
  1. zeroflag

    zeroflag Registered Member

    Joined:
    Jul 6, 2014
    Posts:
    5
    Location:
    India
    Hi everyone,

    Can anyone tell me some softwares to be used for malware analysis.

    Is Sandboxie life time licenses still available ?

    Any alternatives ?

    I want to watch which all process are currently communicating via internet and which all are writing data to my HDD. Any tool suggestions ?
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,729
    Location:
    Texas
  3. zeroflag

    zeroflag Registered Member

    Joined:
    Jul 6, 2014
    Posts:
    5
    Location:
    India
    Thanks ronjor..I was planning to buy Sandboxie...Will the lifetime license be honored by INVINCEA ?
     
  4. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
  5. zeroflag

    zeroflag Registered Member

    Joined:
    Jul 6, 2014
    Posts:
    5
    Location:
    India
    Thanks bo :)

    Can I ask you one doubt ? How effective is Sandboxie against trojans and viruses ? Any personal experience anyone ?
     
  6. zeroflag

    zeroflag Registered Member

    Joined:
    Jul 6, 2014
    Posts:
    5
    Location:
    India
    I have more than 2 laptops for malware analysis ? Can I install that in those machines with one purchase ? All are personal machines only ? Any one using this license in more than one machine
     
  7. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    You are welcome Zeroflag.

    After more than 5 years using the program, I never seen anything to make me doubt or wonder if Sandboxie is doing the work its supposed to. Nothing gets out of the sandbox unless you allow it, that's what I seen.

    But no matter what I am doing, I never stop using SBIE, I am always using SBIE. And for me, due to constantly using Sandboxie, viruses is like they don't exist.:)

    Bo
     
  8. zeroflag

    zeroflag Registered Member

    Joined:
    Jul 6, 2014
    Posts:
    5
    Location:
    India
    That explains it bo.... Thanks a lot for your time :thumb:
     
  9. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    Yes, you can use the lifetime license in more than one computer as long as they are yours.

    I am using Sandboxie in two computers and used it on another one that got stolen. All mine, never a problem activating the license. But you should hurry, officially the lifetime license doesn't exist anymore. But the link is still good. So...

    Bo
     
  10. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,042

    I'll 2nd what Bo said, and also since I had a friend put it on her machine, she has had no more infections.
     
  12. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    Disclaimer: I'm not a malware expert. Take my advice at your own own risk.

    But that said...

    I would not rely on Sandboxie for experimenting with malware analysis.

    There are three reasons for this.

    1. A fair amount of malware is wise to sandboxes, and simply will not run in them, because the authors don't want their Precious analyzed.

    2. Even if malware does run in the sandbox, it won't necessarily behave normally. Sandboxie does not recreate every resource on a Windows system; some stuff it just blocks.

    3. Sandboxie is adequate protection against occasional driveby attacks, and suchlike. It is not adequate protection against deliberately running malicious binaries inside a sandbox. There are things that can break out of it if the right vulnerabilities are available, e.g. Stuxnet and derivatives.

    Short of it is, Sandboxie is a good tool, but not the right one for this job.

    I will post more shortly, just wanted to put this on the table ASAP.
     
  13. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    Disclaimer: I don't do malware analysis as anything more than a very occasional hobby!
    Okay. What I know of malware analysis is, there are two basic sides to it, static and dynamic.

    Static analysis means you look at the binary package(s) and see what's in them. Typically you would do this with a disassembler, and code analysis tools like Radare or IDA.

    To do this you need a working knowledge of x86 (and possibly x86-64) assembly. This not simple. Assembly is pretty much spaghetti code by definition, because its only flow control is through various kinds of GOTO instructions. Knowing the opcodes is less than half of it; you also have to follow the flow of execution around and around and around through the program.

    To make matters worse, malware authors (again) don't want their Precious analyzed, so they typically use things like runtime compression to make the real assembly code even harder to get at. More advanced specimens might include other tricks - encryption, weird optimizations, all kinds of code obfuscation tricks.

    If you want to get into this though, you should learn some x86(-64) assembly. Fortunately there are a lot of online resources for this stuff, and also free books:
    https://github.com/vhf/free-program...r/free-programming-books.md#assembly-language

    Radare, the free disassembly and analysis tool, has a free guide too:

    http://radare.nopcode.org/y/?p=documentation

    And Windows binaries!

    http://radare.nopcode.org/y/?p=download#binaries

    Unfortunately static analysis is really hard, and sometimes there is no substitute for seeing malware in action. Thus dynamic analysis, i.e. running the nasty and seeing what it does.

    I can't even begin to point you in the right direction on that unfortunately. You might want to send PMs to some of the antivirus/antimalware developers here, or maybe open an account on Stack Exchange for this sort of thing.

    That's about as much as I can say on this. Good luck!
     
Loading...
Thread Status:
Not open for further replies.