I would like to open a topic in this forum for Buster Sandbox Analyzer, my malware analysis tool.
For people that still don´t know what´s BSA, please take a look here: http://bsa.isoftware.nl/
The tool can be downloaded directly from: http://bsa.isoftware.nl/bsa.rar
Why another BSA topic? Well, I think in this forum I may find people that can help me to improve the tool.
Improve how? Well, I hope with ideas for new features and suggestions to improve the existing ones. Also testing the tool and finding bugs.
I just released BSA version 1.19 (web site is pendant of update) which improves the packet sniffer very much. The new version is able to capture the TCP trafific coming only from sandboxed applications. Also it will show what program generated the captured packet. Additionally it will be able to save to a .pcap file the captured traffic.
For forensic network analysis I added Pcap Explorer. It´s a feature that can open .pcap files and extract files from HTTP traffic and email attachments. It can follow a TCP session. It can save a new packet filtering by user rules.
A few weeks ago I contacted some malware researchers asking for suggestions of how to improve my tool. One of them, Lenny Zeltser (http://zeltser.com) criticed that some malwares, specially rootkits, may not run under Sandboxie or if they do, not all the actions will be logged due Sandboxie restrictions.
I think he did a very good critic so I´m actually working to improve my tool in that sense. My goal is to get BSA analyzing malwares that run out of the sandbox, in a real or a virtual system. Of course, it´s always a better idea to run malwares on a real system because many of them are aware of the presence of VMs.
In order to record malware actions Capture-BAT will be used: https://www.honeynet.org/node/315
Capture BAT logs file and registry changes to a file. Also logs process creation. It can even capture internet traffic.Capture BAT is a behavioral analysis tool of applications for the Win32 operating system family. Capture BAT is able to monitor the state of a system during the execution of applications and processing of documents, which provides an analyst with insights on how the software operates even if no source code is available. Capture BAT monitors state changes on a low kernel level and can easily be used across various Win32 operating system versions and configurations.
The idea is that Capture BAT logs malware actions and BSA analyzes them.
So in next release (1.20) BSA will be able to analyze malwares that don´t run under Sandboxie´s supervision.
After version 1.20 is out I will be out of idea so I will need of your help to continue developing it.
I hope you can help to improve BSA.