Norman's Sanbox

Discussion in 'other anti-virus software' started by izi, Feb 11, 2005.

Thread Status:
Not open for further replies.
  1. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    This is the best pro-active detection.

    Look what Norman do if finds virus with sanbox:

    Norman Scanner Engine 5.70. 27
    Sandbox 05.70, dated 9/02-2005

    Your message ID (for later reference): 20050211-022

    bestfriends.pif : [SANDBOX] contains a security risk - W32/Malware (Signature: NO_VIRUS)
    [ General information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
    * File length: 33280 bytes.

    [ Changes to filesystem ]
    * Creates file C:\WINDOWS\SYSTEM\lsvhosts.EXE.

    [ Changes to registry ]
    * Creates value "LSASS Authority"="lsvhosts.EXE" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Creates value "LSASS Authority"="lsvhosts.EXE" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices".

    [ Network services ]
    * Looks for an Internet connection.
    * Connects to "209.152.177.208" on port 8080 (TCP).
    * Connects to IRC Server.

    [ Security issues ]
    * Possible backdoor functionality [Authenticate] port 113.

    [ Process/window information ]
    * Enumerates running processes.
    * Will automatically restart after boot (I'll be back...).
     
  2. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    Another detection with Sanbox:


    Norman Scanner Engine 5.70. 27
    Sandbox 05.70, dated 9/02-2005

    Your message ID (for later reference): 20050211-030

    I-Worm.Trilissa.e : [SANDBOX] contains a security risk - W32/Malware (Signature: NO_VIRUS)
    [ General information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
    * Attempts to run Visual Basic Script (VBS).
    * Display message box (Sin) : Sin...my heart is full...pain...pain for my love...Sin...my left hand...is full...pain...is full...bloodSin...my head...pain...blood...for love...blood...Sin...a gun...a man...a Sin...for love....
    * File length: 8192 bytes.

    [ Changes to filesystem ]
    * Creates file C:\Explorer.exe.
    * Creates file C:\WINDOWS\Sin.exe.
    * Creates file C:\Guilty.scr.
    * Creates file C:\Confexion.doc.scr.
    * Drops Visual Basic Script: C:\Sin.vbs.
    * Deletes file c:\autoexec.bat.
    * Creates file C:\autoexec.bat.

    [ Process/window information ]
    * Attemps to NULL c:\Sin.vbs NULL.


    (C) 2004 Norman ASA. All Rights Reserved.
    The material presented is distributed by Norman ASA as an information source only.
     
  3. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Impressive, isn't it?


    tECHNODROME
     
  4. Ianb

    Ianb Registered Member

    Joined:
    Nov 26, 2004
    Posts:
    232
    Location:
    UK
    The virus information is impressive but it performs badly at Jotti.
     
  5. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Actually... the work done by Norman’s Sandbox is quite impressive. Anyway, I wouldn’t depend on Jotti’s ON LINE SCANNER to judge an av.


    tECHNODROME
     
  6. kurdadam

    kurdadam Registered Member

    Joined:
    Sep 11, 2004
    Posts:
    26
    And may I ask why would not you??
     
  7. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    In Finland, the Fujitsu PC:s that have Norman as preinstalled AV in their PC:s, I don't have any good to say about Norman's trojan like nasties protection which is close to nothing. I've installed Avast 4.6 beta to several PC:s to friends of mines to avoid infected samples that I have found in their PC:s by using Norman. Avast is superior compared to Norman.

    Best regards,
    Firefighter!
     
  8. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Jotti's site does not serve that purpose. ;)

    tECHNODROME
     
  9. Ianb

    Ianb Registered Member

    Joined:
    Nov 26, 2004
    Posts:
    232
    Location:
    UK
    Jottis is probably the most reliable test of "IN THE WILD" viruses we have. Normans record there is woeful.
     
  10. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    I agree,Jotti shows a very good % on where is AV placed.
    But many won't agree with me. I don't care.
    Norman shows a big potential in their Sandbox,but they seriously lack signatures.
    I found only few true signature detection and even those were only samples that are certanly ITW (usually all AV scanners detected that sample). Huge majority of others are detected through Sandbox.
    So there is still room for improvements...
     
  11. ---

    --- Guest

    As regards non-replicating malware (aka trojans): A sandbox does not help if it is not combined with a good unpacking engine and/or a memory scanner. This is because the sandbox cannot analyze packed files.

    Example:

    -------------------


    Norman Scanner Engine 5.70. 27
    Sandbox 05.70, dated 9/02-2005

    Your message ID (for later reference): 20050212-040

    Armadillo310.RESOURCE.ICONREPL.OptixLite05.exe : Not detected by sandbox (Signature: NO_VIRUS)
    [ General information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
    * File length: 348160 bytes.


    (C) 2004 Norman ASA. All Rights Reserved.
    The material presented is distributed by Norman ASA as an information source only.

    Sent by sandbox@discardmail.com. Processed Saturday, 12.Feb 2005 at 18.49 POP3: sandbox

    ----------------

    A more detailed analysis can be found here:

    http://illusivesecurity.il.funpic.de/viewtopic.php?t=46
     
  12. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
  13. ---

    --- Guest

    @technodrome

    Thanks for your comments. Do you remember which samples you have used?

    It seems to me that your test results are not in line with ours. That's why I would like to further explore this issue:

    According to our scan log Norman does not detect:

    ASPack212.Coldfusion108.dll 25 600
    ASPack212.Beast192c.exe 55 808
    ASPack212.Bionet318.exe 280 576
    ASPack212.Netdevil12.exe 239 616
    ASPack212.OptixLite05.exe 36 864
    ASPack212.RESOURCE.DELRCPACKINFO.DC.OptixLite5.exe 36 864

    and

    UPX190b.Coldfusion108.dll 19 456
    UPX.Netdevil12.exe 268 800
    UPX084.Asylum013.exe 4 608
    UPX084.Bionet318.exe 305 664
    UPX084.rescompr.Theef2b5.exe 278 016
    UPX084.TheefLE111_comp4.exe 26 112
    UPX084.UPOLYX.Bionet318.exe 305 664
    UPX084.UPXME SCR.Bionet318.exe 305 664
    UPX104.TheefLE111_comp6.exe 24 066
    UPX108.TheefLE111_comp2.exe 26 626
    UPX120.TheefLE111_comp1.exe 27 650
    UPX124.TheefLE111_comp8.exe 23 554

    Moreover, I have submitted a standard UPX-compressed Bionet 3.18 trojan to the live sandbox:

    Norman Scanner Engine 5.70. 27
    Sandbox 05.70, dated 9/02-2005

    Your message ID (for later reference): 20050212-077

    UPX084.Bionet318.exe : Not detected by sandbox (Signature: NO_VIRUS)
    [ General information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
    * File length: 305664 bytes.


    (C) 2004 Norman ASA. All Rights Reserved.
    The material presented is distributed by Norman ASA as an information source only.

    Sent by sandboxi@discardmail.com. Processed Saturday, 12.Feb 2005 at 20.49 POP3: sandbox

    ---
     
  14. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    I can't recall. But I've used packed worms and not Trojans. Sorry I did not read your part about Trojans, I thought you were speaking generally. My bad. ;)


    tECHNODROME
     
  15. ---

    --- Guest

    @technodrome

    I could imagine that Norman created special signatures for the packed variants of the worms because such worms were widely spread and, therefore, the UPX-packed variants had already been submitted to Norman.
     
  16. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    As far as I know Sandbox doesn't use signatures at all. It’s totally isolated from the virus signature engine (regular engine). I could be wrong though.

    I did test on exotic packed worms which were detected by sandbox engine and not by signature engine.



    tECHNODROME
     
  17. ---

    --- Guest

    Thanks! Your explanation was helpful. We can now rule out that the ordinary signature scanner detected the samples.

    I will perform a few tests with worms. Would be kinda interesting if the sandbox merely analyzed worms but not trojans.
     
  18. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Thanks

    I am looking forward to your comments and findings. ;)


    tECHNODROME
     
  19. ---

    --- Guest

    1.
    Netsky Z (detected by signature & analyzed by Sandbox):

    Norman Scanner Engine 5.70. 27
    Sandbox 05.70, dated 9/02-2005

    Your message ID (for later reference): 20050212-105

    netskyz.exe : Not detected by sandbox (Signature: Netsky.Z@mm)
    [ General information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
    * File length: 22016 bytes.

    [ Changes to filesystem ]
    * Creates file C:\WINDOWS\Jammer2nd.exe.
    * Creates file C:\WINDOWS\pk_zip_alg.log.
    * Creates file C:\WINDOWS\pk_zip1.log.
    * Creates file C:\WINDOWS\pk_zip2.log.
    * Creates file C:\WINDOWS\pk_zip3.log.
    * Creates file C:\WINDOWS\pk_zip4.log.
    * Creates file C:\WINDOWS\pk_zip5.log.

    [ Changes to registry ]
    * Creates value "Jammer2nd"="C:\WINDOWS\Jammer2nd.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".

    [ Process/window information ]
    * Will automatically restart after boot (I'll be back...).
    * Creates a mutex (S)(k)(y)(N)(e)(t).


    (C) 2004 Norman ASA. All Rights Reserved.
    The material presented is distributed by Norman ASA as an information source only.

    Sent by sand1@discardmail.com. Processed Saturday, 12.Feb 2005 at 22.50 POP3: sandbox


    2.
    Netsky Z (packed with ASPack 2.12): detected by signature, analyzed by sandbox

    Norman Scanner Engine 5.70. 27
    Sandbox 05.70, dated 9/02-2005

    Your message ID (for later reference): 20050212-106

    netskyz.aspack.exe : Not detected by sandbox (Signature: Netsky.Z@mm)
    [ General information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
    * File length: 26624 bytes.

    [ Changes to filesystem ]
    * Creates file C:\WINDOWS\Jammer2nd.exe.
    * Creates file C:\WINDOWS\pk_zip_alg.log.
    * Creates file C:\WINDOWS\pk_zip1.log.
    * Creates file C:\WINDOWS\pk_zip2.log.
    * Creates file C:\WINDOWS\pk_zip3.log.
    * Creates file C:\WINDOWS\pk_zip4.log.

    [ Changes to registry ]
    * Creates value "Jammer2nd"="C:\WINDOWS\Jammer2nd.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".

    [ Process/window information ]
    * Will automatically restart after boot (I'll be back...).
    * Creates a mutex (S)(k)(y)(N)(e)(t).


    (C) 2004 Norman ASA. All Rights Reserved.
    The material presented is distributed by Norman ASA as an information source only.

    Sent by sand1@discardmail.com. Processed Saturday, 12.Feb 2005 at 22.53 POP3: sandbox
     
  20. ---

    --- Guest

    Norman Scanner Engine 5.70. 27
    Sandbox 05.70, dated 9/02-2005

    Your message ID (for later reference): 20050212-109

    netskyz.pespin.exe : Not detected by sandbox (Signature: NO_VIRUS)
    [ General information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
    * File length: 35840 bytes.


    (C) 2004 Norman ASA. All Rights Reserved.
    The material presented is distributed by Norman ASA as an information source only.

    Sent by sand2@discardmail.com. Processed Saturday, 12.Feb 2005 at 23.02 POP3: sandbox


    --> I conclude that Norman can indeed unpack ASPack 2.12 (and cannot unpack PESpin 1.1). However, it really bugs me that the sandbox does not unpack our trojan samples. Isn't this strangeo_O


    Norman Scanner Engine 5.70. 27
    Sandbox 05.70, dated 9/02-2005

    Your message ID (for later reference): 20050212-113

    ASPack212.Bionet318.exe : Not detected by sandbox (Signature: NO_VIRUS)
    [ General information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
    * File might be compressed.
    * File length: 280576 bytes.


    (C) 2004 Norman ASA. All Rights Reserved.
    The material presented is distributed by Norman ASA as an information source only.

    Sent by sand3@discardmail.com. Processed Saturday, 12.Feb 2005 at 23.12 POP3: sandbox
     
  21. ---

    --- Guest

    Another theory:

    the analyis which was performed, for example, in the case of netsky.z (unpacked) is not a real analysis. The sandbox did NOT perform such analysis. By contrast, this malware sample was detected by a signature and the signature database also contains "analysis data" which is used for the removal of malware.
     
  22. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    I think sandbox was not able to detect netsky.z (netsky.y) variant. It was detected by signature. It’s quite possible that those two examples are nothing else but signature detection.

    Try to pack netsky.b and see what will happen.

    Packed with Aspack 2.12: ---. Detected by sandbox (not detected by signature)

    ALARM:
    Virus infected:
    Virus name: 'W32/EMailWorm' [ General information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
    * File might be compressed.
    * Display message box (Error) : The file could not be opened!.
    * File length: 26624 bytes.

    [ Changes to filesystem ]
    * Creates file C:/WINDOWS/services.exe.

    [ Changes to registry ]
    * Creates value "service"="C:/WINDOWS/services.exe -serv" in key "HKLM/Software/Microsoft/Windows/CurrentVersion/Run".

    Norman Scanner Engine Information
    Engine version: 5.70.26
    Binary definition file: 5.70 of 2005/02/11
    Macro definition file: 5.70 of 2005/02/11


    tECHNODROME
     
  23. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    The same worm was packed with Armadillo. Norman and KAV failed to detect it. ;)


    tECHNODROME
     
  24. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    Norman Scanner Engine 5.70. 27
    Sandbox 05.70, dated 9/02-2005

    Your message ID (for later reference): 20050213-305

    dsqurejj.exe : [SANDBOX] infected with unknown worm - W32/P2PWorm (Signature: W32/Swen.A@mm)
    [ General information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
    * File length: 106496 bytes.

    [ Changes to filesystem ]
    * Creates file C:\WINDOWS\libdvd.exe.
    * Creates file C:\WINDOWS\SANDBOX.bat.
    * Creates file C:\WINDOWS\sbeq.vvk.
    * Creates file C:\WINDOWS\germs0.dbv.
    * Creates file C:\WINDOWS\TEMP\Patch1826.exe.
    * Deletes file C:\WINDOWS\TEMP\Patch1826.exe.
    * Creates file C:\Progra~1\Kazaa\Myshar~1\winamp hacked.exe.

    [ Changes to registry ]
    * Creates value "gyfukizz"="libdvd.exe autorun" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    * Creates key "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\XAGWY".
    * Sets value "Install Item"="gyfukizz" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\XAGWY".
    * Sets value "Unfile"="sbeq.vvk" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\XAGWY".
    * Sets value "CacheBox Outfit"="yes" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\XAGWY".
    * Sets value "ZipName"="idco" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\XAGWY".

    [ Spreading through P2P networks ]
    * P2P worm; drops files in P2P upload/download directory.

    [ Process/window information ]
    * Will automatically restart after boot (I'll be back...).
    * Attemps to NULL WinRar.exe A -EP C:\WINDOWS\idco.zip C:\WINDOWS\TEMP\Patch1826.exe.
     
  25. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    Norman Scanner Engine 5.70. 27
    Sandbox 05.70, dated 9/02-2005

    Your message ID (for later reference): 20050213-307

    oimsdxkdlu.exe : [SANDBOX] contains a security risk - W32/Malware (Signature: W32/Bagle.A@mm)
    [ General information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
    * File length: 15872 bytes.

    [ Changes to filesystem ]
    * Creates file C:\WINDOWS\SYSTEM\bbeagle.exe.

    [ Changes to registry ]
    * Sets value "uid"="238131497" in key "HKCU\Software\Mirabilis".
    * Creates value "d3dupdate.exe"="C:\WINDOWS\SYSTEM\bbeagle.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
    * Sets value "frun"="" in key "HKCU\Software\Mirabilis".

    [ Network services ]
    * Looks for an Internet connection.
    * Opens URL: http://www.elrasshop.de/1.php?p=6777&id=238131497.
    * Opens URL: http://www.it-msc.de/1.php?p=6777&id=238131497.
    * Opens URL: http://www.getyourfree.net/1.php?p=6777&id=238131497.
    * Opens URL: http://www.dmdesign.de/1.php?p=6777&id=238131497.
    * Opens URL: http://64.176.228.13/1.php?p=6777&id=238131497.
    * Opens URL: http://www.leonzernitsky.com/1.php?p=6777&id=238131497.
    * Opens URL: http://216.98.136.248/1.php?p=6777&id=238131497.
    * Opens URL: http://216.98.134.247/1.php?p=6777&id=238131497.
    * Opens URL: http://www.cdromca.com/1.php?p=6777&id=238131497.
    * Opens URL: http://www.kunst-in-templin.de/1.php?p=6777&id=238131497.
    * Opens URL: http://vipweb.ru/1.php?p=6777&id=238131497.
    * Opens URL: http://antol-co.ru/1.php?p=6777&id=238131497.
    * Opens URL: http://www.bags-dostavka.mags.ru/1.php?p=6777&id=238131497.
    * Opens URL: http://www.5x12.ru/1.php?p=6777&id=238131497.
    * Opens URL: http://bose-audio.net/1.php?p=6777&id=238131497.
    * Opens URL: http://www.sttngdata.de/1.php?p=6777&id=238131497.
    * Opens URL: http://wh9.tu-dresden.de/1.php?p=6777&id=238131497.
    * Opens URL: http://www.micronuke.net/1.php?p=6777&id=238131497.
    * Opens URL: http://www.stadthagen.org/1.php?p=6777&id=238131497.
    * Opens URL: http://www.beasty-cars.de/1.php?p=6777&id=238131497.
    * Opens URL: http://www.polohexe.de/1.php?p=6777&id=238131497.
    * Opens URL: http://www.bino88.de/1.php?p=6777&id=238131497.
    * Opens URL: http://www.grefrathpaenz.de/1.php?p=6777&id=238131497.
    * Opens URL: http://www.bhamidy.de/1.php?p=6777&id=238131497.
    * Opens URL: http://www.mystic-vws.de/1.php?p=6777&id=238131497.
    * Opens URL: http://www.auto-hobby-essen.de/1.php?p=6777&id=238131497.
    * Opens URL: http://www.polozicke.de/1.php?p=6777&id=238131497.
    * Opens URL: http://www.twr-music.de/1.php?p=6777&id=238131497.
    * Opens URL: http://www.sc-erbendorf.de/1.php?p=6777&id=238131497.
    * Opens URL: http://www.montania.de/1.php?p=6777&id=238131497.
    * Opens URL: http://www.medi-martin.de/1.php?p=6777&id=238131497.
    * Opens URL: http://vvcgn.de/1.php?p=6777&id=238131497.
    * Opens URL: http://www.ballonfoto.com/1.php?p=6777&id=238131497.
    * Opens URL: http://www.marder-gmbh.de/1.php?p=6777&id=238131497.
    * Opens URL: http://www.dvd-filme.com/1.php?p=6777&id=238131497.
    * Opens URL: http://www.smeangol.com/1.php?p=6777&id=238131497.

    [ Security issues ]
    * Possible backdoor functionality [UNKNOWN] port 6777.

    [ Process/window information ]
    * Will automatically restart after boot (I'll be back...).
     
Thread Status:
Not open for further replies.