Malware analysis - Buster Sandbox Analyzer

Forum for announcements and questions about tools and software.
Post Reply
User avatar
Buster_BSA
Posts: 390
Joined: Mon Mar 22, 2010 6:42 am

Malware analysis - Buster Sandbox Analyzer

Post by Buster_BSA » Fri Apr 23, 2010 5:07 pm

Hi.

I would like to open a topic in this forum for Buster Sandbox Analyzer, my malware analysis tool.

For people that still don´t know what´s BSA, please take a look here: http://bsa.isoftware.nl/

The tool can be downloaded directly from: http://bsa.isoftware.nl/bsa.rar

Why another BSA topic? Well, I think in this forum I may find people that can help me to improve the tool.

Improve how? Well, I hope with ideas for new features and suggestions to improve the existing ones. Also testing the tool and finding bugs.

I just released BSA version 1.19 (web site is pendant of update) which improves the packet sniffer very much. The new version is able to capture the TCP trafific coming only from sandboxed applications. Also it will show what program generated the captured packet. Additionally it will be able to save to a .pcap file the captured traffic.

For forensic network analysis I added Pcap Explorer. It´s a feature that can open .pcap files and extract files from HTTP traffic and email attachments. It can follow a TCP session. It can save a new packet filtering by user rules.

A few weeks ago I contacted some malware researchers asking for suggestions of how to improve my tool. One of them, Lenny Zeltser (http://zeltser.com) criticed that some malwares, specially rootkits, may not run under Sandboxie or if they do, not all the actions will be logged due Sandboxie restrictions.

I think he did a very good critic so I´m actually working to improve my tool in that sense. My goal is to get BSA analyzing malwares that run out of the sandbox, in a real or a virtual system. Of course, it´s always a better idea to run malwares on a real system because many of them are aware of the presence of VMs.

In order to record malware actions Capture-BAT will be used: https://www.honeynet.org/node/315
Capture BAT is a behavioral analysis tool of applications for the Win32 operating system family. Capture BAT is able to monitor the state of a system during the execution of applications and processing of documents, which provides an analyst with insights on how the software operates even if no source code is available. Capture BAT monitors state changes on a low kernel level and can easily be used across various Win32 operating system versions and configurations.
Capture BAT logs file and registry changes to a file. Also logs process creation. It can even capture internet traffic.

The idea is that Capture BAT logs malware actions and BSA analyzes them.

So in next release (1.20) BSA will be able to analyze malwares that don´t run under Sandboxie´s supervision.

After version 1.20 is out I will be out of idea so I will need of your help to continue developing it.

I hope you can help to improve BSA.

Regards.
Last edited by EP_X0FF on Mon Dec 13, 2010 2:26 pm, edited 1 time in total.
Reason: Readded links to site and download

User avatar
Buster_BSA
Posts: 390
Joined: Mon Mar 22, 2010 6:42 am

Re: Malware analysis - Buster Sandbox Analyzer

Post by Buster_BSA » Thu May 06, 2010 12:22 pm

Buster Sandbox Analyzer 1.20 has been released.

Download link: http://bsa.sandboxie.info/bsa.rar

User avatar
gjf
Posts: 198
Joined: Mon Mar 15, 2010 10:23 am
Location: Where I lay my head is home
Contact:

Re: Malware analysis - Buster Sandbox Analyzer

Post by gjf » Thu May 06, 2010 12:56 pm

Unfortunately a lot of malware operates installing their driver. That is the limitation of such sandboxes. But anyway - thank's, I will try it.
VirusInfo / Defendium / SafeZone Helpers Crew

User avatar
Buster_BSA
Posts: 390
Joined: Mon Mar 22, 2010 6:42 am

Re: Malware analysis - Buster Sandbox Analyzer

Post by Buster_BSA » Thu May 06, 2010 5:49 pm

gjf wrote:Unfortunately a lot of malware operates installing their driver. That is the limitation of such sandboxes. But anyway - thank's, I will try it.
The objective of Buster Sandbox Analyzer is to tell if the analyzed application has a malicious behaviour.

Even if the malware can not run fully because Sandboxie will not allow it, the driver will be dropped to Windows folder (most probably) so this action will be noticed and reported as malicious.

Additionally the new version supports Capture-BAT log files.
Capture BAT is a behavioral analysis tool of applications for the Win32 operating system family. Capture BAT is able to monitor the state of a system during the execution of applications and processing of documents, which provides an analyst with insights on how the software operates even if no source code is available. Capture BAT monitors state changes on a low kernel level and can easily be used across various Win32 operating system versions and configurations.
https://www.honeynet.org/node/315

So you can run the malware under the supervision of Capture-BAT and pass the log created to BSA. BSA will create the report and the analysis from the log.

I hope that´s good enough. If not I´m always open to suggestions about how to improve BSA. ;)

User avatar
gjf
Posts: 198
Joined: Mon Mar 15, 2010 10:23 am
Location: Where I lay my head is home
Contact:

Re: Malware analysis - Buster Sandbox Analyzer

Post by gjf » Wed May 12, 2010 11:42 pm

OK, it's pretty cool. But one suggestion. You give no ability to use some favorite addons such as HEX editors etc. For instance, BSA has own PE Explorer, and I like another one, own HEX Editor, and I like HIEW etc. It would be good to have ability to configure external instruments for such application as well.
Last edited by gjf on Thu May 13, 2010 7:07 am, edited 1 time in total.
VirusInfo / Defendium / SafeZone Helpers Crew

User avatar
gjf
Posts: 198
Joined: Mon Mar 15, 2010 10:23 am
Location: Where I lay my head is home
Contact:

Re: Malware analysis - Buster Sandbox Analyzer

Post by gjf » Thu May 13, 2010 12:03 am

And one question: is it possible to use relative path tom injected dll in Sandboxie config in the case of portable installation? I mean:

Code: Select all

InjectDll=App\Buster Sandbox Analyzerlogi.dll
OpenWinClass=TFormBSA
It would be useful for USB flash installation due to different drive letter in different systems.
VirusInfo / Defendium / SafeZone Helpers Crew

User avatar
Buster_BSA
Posts: 390
Joined: Mon Mar 22, 2010 6:42 am

Re: Malware analysis - Buster Sandbox Analyzer

Post by Buster_BSA » Thu May 13, 2010 6:25 am

gjf wrote:OK, it's pretty cool. But one suggestion. You give no ability to use some favorite addons such as HEX editors etc. For instance, BSA has own PE Explorer, and I like another one, own HEX Editor, and I like HIEW etc. It would be goof to have ability to configure external instruments for such application as well.
I will consider adding such feature. Thanks for the suggestion!

User avatar
Buster_BSA
Posts: 390
Joined: Mon Mar 22, 2010 6:42 am

Re: Malware analysis - Buster Sandbox Analyzer

Post by Buster_BSA » Thu May 13, 2010 6:28 am

gjf wrote:And one question: is it possible to use relative path tom injected dll in Sandboxie config in the case of portable installation? I mean:

Code: Select all

InjectDll=App\Buster Sandbox Analyzerlogi.dll
OpenWinClass=TFormBSA
It would be useful for USB flash installation due to different drive letter in different systems.
I´m afraid that´s not possible. You can request that feature creating a post here:

http://sandboxie.com/phpbb/viewforum.php?f=4

User avatar
gjf
Posts: 198
Joined: Mon Mar 15, 2010 10:23 am
Location: Where I lay my head is home
Contact:

Re: Malware analysis - Buster Sandbox Analyzer

Post by gjf » Thu May 13, 2010 9:41 am

OK, I've requested it there. Thanks for support.

Another issue: is this buggy output due to Cyrillic names caused by Sandboxie or it is BSA limitation:
Executing: c:\documents and settings\ам
рар\Ра л\bot.exe
LoadLibrary(kernel32.dll) [c:\documents and settings\ам
рар\Ра л\bot.exe]
LoadLibrary(shlwapi.dll) [c:\documents and settings\ам
Please note also that viewer menu in BSA calls text editor in sandbox. Why? Logs are safe and sandbox placement leads to some troubles in saving of them.
VirusInfo / Defendium / SafeZone Helpers Crew

User avatar
Buster_BSA
Posts: 390
Joined: Mon Mar 22, 2010 6:42 am

Re: Malware analysis - Buster Sandbox Analyzer

Post by Buster_BSA » Thu May 13, 2010 11:50 am

gjf wrote:Another issue: is this buggy output due to Cyrillic names caused by Sandboxie or it is BSA limitation:
Executing: c:\documents and settings\ам
рар\Ра л\bot.exe
LoadLibrary(kernel32.dll) [c:\documents and settings\ам
рар\Ра л\bot.exe]
LoadLibrary(shlwapi.dll) [c:\documents and settings\ам
It´s due Cyrillic names. I don´t think there is nothing to fix there.
gjf wrote:Please note also that viewer menu in BSA calls text editor in sandbox. Why? Logs are safe and sandbox placement leads to some troubles in saving of them.
That should not happen. Maybe you have something misconfigured in Sandboxie.

Tell me the steps to reproduce the problem, please. I will check if it´s a bug or you have something wrongly configured.

Post Reply