Norman's Sanbox

This is the best pro-active detection.

Look what Norman do if finds virus with sanbox:

Norman Scanner Engine 5.70. 27
Sandbox 05.70, dated 9/02-2005

Your message ID (for later reference): 20050211-022

bestfriends.pif : [SANDBOX] contains a security risk - W32/Malware (Signature: NO_VIRUS)
[ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* File length: 33280 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM\lsvhosts.EXE.

[ Changes to registry ]
* Creates value "LSASS Authority"="lsvhosts.EXE" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Creates value "LSASS Authority"="lsvhosts.EXE" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices".

[ Network services ]
* Looks for an Internet connection.
* Connects to "209.152.177.208" on port 8080 (TCP).
* Connects to IRC Server.

[ Security issues ]
* Possible backdoor functionality [Authenticate] port 113.

[ Process/window information ]
* Enumerates running processes.
* Will automatically restart after boot (I'll be back...).

 

Another detection with Sanbox:


Norman Scanner Engine 5.70. 27
Sandbox 05.70, dated 9/02-2005

Your message ID (for later reference): 20050211-030

I-Worm.Trilissa.e : [SANDBOX] contains a security risk - W32/Malware (Signature: NO_VIRUS)
[ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* Attempts to run Visual Basic Script (VBS).
* Display message box (Sin) : Sin...my heart is full...pain...pain for my love...Sin...my left hand...is full...pain...is full...bloodSin...my head...pain...blood...for love...blood...Sin...a gun...a man...a Sin...for love....
* File length: 8192 bytes.

[ Changes to filesystem ]
* Creates file C:\Explorer.exe.
* Creates file C:\WINDOWS\Sin.exe.
* Creates file C:\Guilty.scr.
* Creates file C:\Confexion.doc.scr.
* Drops Visual Basic Script: C:\Sin.vbs.
* Deletes file c:\autoexec.bat.
* Creates file C:\autoexec.bat.

[ Process/window information ]
* Attemps to NULL c:\Sin.vbs NULL.


(C) 2004 Norman ASA. All Rights Reserved.
The material presented is distributed by Norman ASA as an information source only.

 

Impressive, isn't it?


tECHNODROME

 

The virus information is impressive but it performs badly at Jotti.

 

Actually... the work done by Norman’s Sandbox is quite impressive. Anyway, I wouldn’t depend on Jotti’s ON LINE SCANNER to judge an av.


tECHNODROME

 

And may I ask why would not you??

 

In Finland, the Fujitsu PC:s that have Norman as preinstalled AV in their PC:s, I don't have any good to say about Norman's trojan like nasties protection which is close to nothing. I've installed Avast 4.6 beta to several PC:s to friends of mines to avoid infected samples that I have found in their PC:s by using Norman. Avast is superior compared to Norman.

Best regards,
Firefighter!

 

Jotti's site does not serve that purpose.

tECHNODROME

 

Jottis is probably the most reliable test of "IN THE WILD" viruses we have. Normans record there is woeful.

 

I agree,Jotti shows a very good % on where is AV placed.
But many won't agree with me. I don't care.
Norman shows a big potential in their Sandbox,but they seriously lack signatures.
I found only few true signature detection and even those were only samples that are certanly ITW (usually all AV scanners detected that sample). Huge majority of others are detected through Sandbox.
So there is still room for improvements...

 

As regards non-replicating malware (aka trojans): A sandbox does not help if it is not combined with a good unpacking engine and/or a memory scanner. This is because the sandbox cannot analyze packed files.

Example:

-------------------


Norman Scanner Engine 5.70. 27
Sandbox 05.70, dated 9/02-2005

Your message ID (for later reference): 20050212-040

Armadillo310.RESOURCE.ICONREPL.OptixLite05.exe : Not detected by sandbox (Signature: NO_VIRUS)
[ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* File length: 348160 bytes.


(C) 2004 Norman ASA. All Rights Reserved.
The material presented is distributed by Norman ASA as an information source only.

Sent by sandbox@discardmail.com. Processed Saturday, 12.Feb 2005 at 18.49 POP3: sandbox

----------------

A more detailed analysis can be found here:

http://illusivesecurity.il.funpic.de/viewtopic.php?t=46

 

A year ago I tested packed files and Norman sandbox was able to detect them ( If I remember correctly it was UPX and Aspack ).

Basically, this means it can unpack and analyze packed files but not the most complicated ones (such as Armadillo).


See http://www.norman.com/Virus/Virus_descriptions/16382/en-us?show=default



tECHNODROME

 

@technodrome

Thanks for your comments. Do you remember which samples you have used?

It seems to me that your test results are not in line with ours. That's why I would like to further explore this issue:

According to our scan log Norman does not detect:

ASPack212.Coldfusion108.dll 25 600
ASPack212.Beast192c.exe 55 808
ASPack212.Bionet318.exe 280 576
ASPack212.Netdevil12.exe 239 616
ASPack212.OptixLite05.exe 36 864
ASPack212.RESOURCE.DELRCPACKINFO.DC.OptixLite5.exe 36 864

and

UPX190b.Coldfusion108.dll 19 456
UPX.Netdevil12.exe 268 800
UPX084.Asylum013.exe 4 608
UPX084.Bionet318.exe 305 664
UPX084.rescompr.Theef2b5.exe 278 016
UPX084.TheefLE111_comp4.exe 26 112
UPX084.UPOLYX.Bionet318.exe 305 664
UPX084.UPXME SCR.Bionet318.exe 305 664
UPX104.TheefLE111_comp6.exe 24 066
UPX108.TheefLE111_comp2.exe 26 626
UPX120.TheefLE111_comp1.exe 27 650
UPX124.TheefLE111_comp8.exe 23 554

Moreover, I have submitted a standard UPX-compressed Bionet 3.18 trojan to the live sandbox:

Norman Scanner Engine 5.70. 27
Sandbox 05.70, dated 9/02-2005

Your message ID (for later reference): 20050212-077

UPX084.Bionet318.exe : Not detected by sandbox (Signature: NO_VIRUS)
[ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* File length: 305664 bytes.


(C) 2004 Norman ASA. All Rights Reserved.
The material presented is distributed by Norman ASA as an information source only.

Sent by sandboxi@discardmail.com. Processed Saturday, 12.Feb 2005 at 20.49 POP3: sandbox

---

 

I can't recall. But I've used packed worms and not Trojans. Sorry I did not read your part about Trojans, I thought you were speaking generally. My bad.


tECHNODROME

 

@technodrome

I could imagine that Norman created special signatures for the packed variants of the worms because such worms were widely spread and, therefore, the UPX-packed variants had already been submitted to Norman.

 

As far as I know Sandbox doesn't use signatures at all. It’s totally isolated from the virus signature engine (regular engine). I could be wrong though.

I did test on exotic packed worms which were detected by sandbox engine and not by signature engine.



tECHNODROME

 

Thanks! Your explanation was helpful. We can now rule out that the ordinary signature scanner detected the samples.

I will perform a few tests with worms. Would be kinda interesting if the sandbox merely analyzed worms but not trojans.

 

Thanks

I am looking forward to your comments and findings.


tECHNODROME

 

1.
Netsky Z (detected by signature & analyzed by Sandbox):

Norman Scanner Engine 5.70. 27
Sandbox 05.70, dated 9/02-2005

Your message ID (for later reference): 20050212-105

netskyz.exe : Not detected by sandbox (Signature: Netsky.Z@mm)
[ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* File length: 22016 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\Jammer2nd.exe.
* Creates file C:\WINDOWS\pk_zip_alg.log.
* Creates file C:\WINDOWS\pk_zip1.log.
* Creates file C:\WINDOWS\pk_zip2.log.
* Creates file C:\WINDOWS\pk_zip3.log.
* Creates file C:\WINDOWS\pk_zip4.log.
* Creates file C:\WINDOWS\pk_zip5.log.

[ Changes to registry ]
* Creates value "Jammer2nd"="C:\WINDOWS\Jammer2nd.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".

[ Process/window information ]
* Will automatically restart after boot (I'll be back...).
* Creates a mutex (S)(k)(y)(N)(e)(t).


(C) 2004 Norman ASA. All Rights Reserved.
The material presented is distributed by Norman ASA as an information source only.

Sent by sand1@discardmail.com. Processed Saturday, 12.Feb 2005 at 22.50 POP3: sandbox


2.
Netsky Z (packed with ASPack 2.12): detected by signature, analyzed by sandbox

Norman Scanner Engine 5.70. 27
Sandbox 05.70, dated 9/02-2005

Your message ID (for later reference): 20050212-106

netskyz.aspack.exe : Not detected by sandbox (Signature: Netsky.Z@mm)
[ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* File length: 26624 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\Jammer2nd.exe.
* Creates file C:\WINDOWS\pk_zip_alg.log.
* Creates file C:\WINDOWS\pk_zip1.log.
* Creates file C:\WINDOWS\pk_zip2.log.
* Creates file C:\WINDOWS\pk_zip3.log.
* Creates file C:\WINDOWS\pk_zip4.log.

[ Changes to registry ]
* Creates value "Jammer2nd"="C:\WINDOWS\Jammer2nd.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".

[ Process/window information ]
* Will automatically restart after boot (I'll be back...).
* Creates a mutex (S)(k)(y)(N)(e)(t).


(C) 2004 Norman ASA. All Rights Reserved.
The material presented is distributed by Norman ASA as an information source only.

Sent by sand1@discardmail.com. Processed Saturday, 12.Feb 2005 at 22.53 POP3: sandbox

 

Norman Scanner Engine 5.70. 27
Sandbox 05.70, dated 9/02-2005

Your message ID (for later reference): 20050212-109

netskyz.pespin.exe : Not detected by sandbox (Signature: NO_VIRUS)
[ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* File length: 35840 bytes.


(C) 2004 Norman ASA. All Rights Reserved.
The material presented is distributed by Norman ASA as an information source only.

Sent by sand2@discardmail.com. Processed Saturday, 12.Feb 2005 at 23.02 POP3: sandbox


--> I conclude that Norman can indeed unpack ASPack 2.12 (and cannot unpack PESpin 1.1). However, it really bugs me that the sandbox does not unpack our trojan samples. Isn't this strange


Norman Scanner Engine 5.70. 27
Sandbox 05.70, dated 9/02-2005

Your message ID (for later reference): 20050212-113

ASPack212.Bionet318.exe : Not detected by sandbox (Signature: NO_VIRUS)
[ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* File might be compressed.
* File length: 280576 bytes.


(C) 2004 Norman ASA. All Rights Reserved.
The material presented is distributed by Norman ASA as an information source only.

Sent by sand3@discardmail.com. Processed Saturday, 12.Feb 2005 at 23.12 POP3: sandbox

 

Another theory:

the analyis which was performed, for example, in the case of netsky.z (unpacked) is not a real analysis. The sandbox did NOT perform such analysis. By contrast, this malware sample was detected by a signature and the signature database also contains "analysis data" which is used for the removal of malware.

 

I think sandbox was not able to detect netsky.z (netsky.y) variant. It was detected by signature. It’s quite possible that those two examples are nothing else but signature detection.

Try to pack netsky.b and see what will happen.

Packed with Aspack 2.12: ---. Detected by sandbox (not detected by signature)

ALARM:
Virus infected:
Virus name: 'W32/EMailWorm' [ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* File might be compressed.
* Display message box (Error) : The file could not be opened!.
* File length: 26624 bytes.

[ Changes to filesystem ]
* Creates file C:/WINDOWS/services.exe.

[ Changes to registry ]
* Creates value "service"="C:/WINDOWS/services.exe -serv" in key "HKLM/Software/Microsoft/Windows/CurrentVersion/Run".

Norman Scanner Engine Information
Engine version: 5.70.26
Binary definition file: 5.70 of 2005/02/11
Macro definition file: 5.70 of 2005/02/11


tECHNODROME

 

The same worm was packed with Armadillo. Norman and KAV failed to detect it.


tECHNODROME

 

Norman Scanner Engine 5.70. 27
Sandbox 05.70, dated 9/02-2005

Your message ID (for later reference): 20050213-305

dsqurejj.exe : [SANDBOX] infected with unknown worm - W32/P2PWorm (Signature: W32/Swen.A@mm)
[ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* File length: 106496 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\libdvd.exe.
* Creates file C:\WINDOWS\SANDBOX.bat.
* Creates file C:\WINDOWS\sbeq.vvk.
* Creates file C:\WINDOWS\germs0.dbv.
* Creates file C:\WINDOWS\TEMP\Patch1826.exe.
* Deletes file C:\WINDOWS\TEMP\Patch1826.exe.
* Creates file C:\Progra~1\Kazaa\Myshar~1\winamp hacked.exe.

[ Changes to registry ]
* Creates value "gyfukizz"="libdvd.exe autorun" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Creates key "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\XAGWY".
* Sets value "Install Item"="gyfukizz" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\XAGWY".
* Sets value "Unfile"="sbeq.vvk" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\XAGWY".
* Sets value "CacheBox Outfit"="yes" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\XAGWY".
* Sets value "ZipName"="idco" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\XAGWY".

[ Spreading through P2P networks ]
* P2P worm; drops files in P2P upload/download directory.

[ Process/window information ]
* Will automatically restart after boot (I'll be back...).
* Attemps to NULL WinRar.exe A -EP C:\WINDOWS\idco.zip C:\WINDOWS\TEMP\Patch1826.exe.

 

Norman Scanner Engine 5.70. 27
Sandbox 05.70, dated 9/02-2005

Your message ID (for later reference): 20050213-307

oimsdxkdlu.exe : [SANDBOX] contains a security risk - W32/Malware (Signature: W32/Bagle.A@mm)
[ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* File length: 15872 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM\bbeagle.exe.

[ Changes to registry ]
* Sets value "uid"="238131497" in key "HKCU\Software\Mirabilis".
* Creates value "d3dupdate.exe"="C:\WINDOWS\SYSTEM\bbeagle.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Sets value "frun"="
" in key "HKCU\Software\Mirabilis".

[ Network services ]
* Looks for an Internet connection.
* Opens URL: http://www.elrasshop.de/1.php?p=6777&id=238131497.
* Opens URL: http://www.it-msc.de/1.php?p=6777&id=238131497.
* Opens URL: http://www.getyourfree.net/1.php?p=6777&id=238131497.
* Opens URL: http://www.dmdesign.de/1.php?p=6777&id=238131497.
* Opens URL: http://64.176.228.13/1.php?p=6777&id=238131497.
* Opens URL: http://www.leonzernitsky.com/1.php?p=6777&id=238131497.
* Opens URL: http://216.98.136.248/1.php?p=6777&id=238131497.
* Opens URL: http://216.98.134.247/1.php?p=6777&id=238131497.
* Opens URL: http://www.cdromca.com/1.php?p=6777&id=238131497.
* Opens URL: http://www.kunst-in-templin.de/1.php?p=6777&id=238131497.
* Opens URL: http://vipweb.ru/1.php?p=6777&id=238131497.
* Opens URL: http://antol-co.ru/1.php?p=6777&id=238131497.
* Opens URL: http://www.bags-dostavka.mags.ru/1.php?p=6777&id=238131497.
* Opens URL: http://www.5x12.ru/1.php?p=6777&id=238131497.
* Opens URL: http://bose-audio.net/1.php?p=6777&id=238131497.
* Opens URL: http://www.sttngdata.de/1.php?p=6777&id=238131497.
* Opens URL: http://wh9.tu-dresden.de/1.php?p=6777&id=238131497.
* Opens URL: http://www.micronuke.net/1.php?p=6777&id=238131497.
* Opens URL: http://www.stadthagen.org/1.php?p=6777&id=238131497.
* Opens URL: http://www.beasty-cars.de/1.php?p=6777&id=238131497.
* Opens URL: http://www.polohexe.de/1.php?p=6777&id=238131497.
* Opens URL: http://www.bino88.de/1.php?p=6777&id=238131497.
* Opens URL: http://www.grefrathpaenz.de/1.php?p=6777&id=238131497.
* Opens URL: http://www.bhamidy.de/1.php?p=6777&id=238131497.
* Opens URL: http://www.mystic-vws.de/1.php?p=6777&id=238131497.
* Opens URL: http://www.auto-hobby-essen.de/1.php?p=6777&id=238131497.
* Opens URL: http://www.polozicke.de/1.php?p=6777&id=238131497.
* Opens URL: http://www.twr-music.de/1.php?p=6777&id=238131497.
* Opens URL: http://www.sc-erbendorf.de/1.php?p=6777&id=238131497.
* Opens URL: http://www.montania.de/1.php?p=6777&id=238131497.
* Opens URL: http://www.medi-martin.de/1.php?p=6777&id=238131497.
* Opens URL: http://vvcgn.de/1.php?p=6777&id=238131497.
* Opens URL: http://www.ballonfoto.com/1.php?p=6777&id=238131497.
* Opens URL: http://www.marder-gmbh.de/1.php?p=6777&id=238131497.
* Opens URL: http://www.dvd-filme.com/1.php?p=6777&id=238131497.
* Opens URL: http://www.smeangol.com/1.php?p=6777&id=238131497.

[ Security issues ]
* Possible backdoor functionality [UNKNOWN] port 6777.

[ Process/window information ]
* Will automatically restart after boot (I'll be back...).