Sandboxes (Discussion)

Forum for analysis and discussion about malware.
Jaxryley
Posts: 140
Joined: Mon Mar 15, 2010 7:49 am

Sandboxes (Discussion)

Post by Jaxryley » Sat Mar 20, 2010 12:38 am

In order to use Buster Sandbox Analyser you will need my favourite security app in being Sandboxie!
http://www.sandboxie.com/index.php?DownloadSandboxie

__Genius__
Posts: 92
Joined: Sun Mar 14, 2010 8:20 am

Re: Sandboxes / Online Link checkers

Post by __Genius__ » Wed Mar 24, 2010 7:04 pm

Are HBGary Fastdump & Flypaper free to use!?
- Individuality

User avatar
Meriadoc
Posts: 195
Joined: Sat Mar 13, 2010 7:36 pm
Location: Cymru

Re: Sandboxes / Online Link checkers

Post by Meriadoc » Wed Mar 24, 2010 8:39 pm

free for non-commercial use - HBGary
Who controls the past controls the future
Who controls the present controls the past

wealllbe20
Posts: 40
Joined: Tue Mar 16, 2010 8:08 pm

Re: Sandboxes / Online Link checkers

Post by wealllbe20 » Tue Apr 06, 2010 1:32 pm

Their are many crypters out their that block online and local sandboxes.

hxxp://www.level-23.com/foro/showthread.php?t=13153


many many more crypters out their.

These crypters do work.

If you try to run this anything crypted by these crypters inside a virtual machine or you are using sandboxie they will just simply not execute.

It makes it hard to do a full analysis on these specific types of malware.

NOP
Posts: 36
Joined: Wed Mar 31, 2010 4:56 pm

Re: Sandboxes / Online Link checkers

Post by NOP » Tue Apr 06, 2010 2:30 pm

They are kiddie crypters that generally crypt kiddie trojans, nothing interesting there for a malware researcher.

wealllbe20
Posts: 40
Joined: Tue Mar 16, 2010 8:08 pm

Re: Sandboxes / Online Link checkers

Post by wealllbe20 » Tue Apr 06, 2010 2:58 pm

They may be used by kiddies, but when these crypters/packers have things that include bypassing windows uac, blocking sand-boxing and anti-disassembler attributes associated with them.

It's makes some of these malware testing websites and labs useless and people who examine malware on a higher level should know about such things.

User avatar
EP_X0FF
Global Moderator
Posts: 4781
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Sandboxes / Online Link checkers

Post by EP_X0FF » Tue Apr 06, 2010 3:22 pm

Most so called anti* tricks based on analyzing hardware components of system (driver/process names of VmWare/VPC/VBox) or searching for specific dll's (as in case of sandboxie).
Ring0 - the source of inspiration

NOP
Posts: 36
Joined: Wed Mar 31, 2010 4:56 pm

Re: Sandboxes / Online Link checkers

Post by NOP » Tue Apr 06, 2010 3:29 pm

When I find a sample that PEiD recognizes as Microsoft Visual Basic 5.0 / 6.0 or Borland Delphi 6.0 - 7.0, after a quick look to check whether it is actually a kiddie crypter I just bin it. They're all based off the same loading code and usually other open source code.

If the average user tests one of these files in a sandbox, and it comes up with absolutely nothing, they should be suspicous.
Most so called anti* tricks based on analyzing hardware components of system (driver/process names of VmWare/VPC/VBox) or searching for specific dll's (as in case of sandboxie).
Some just check things like the username, like CurrentUser to detect Norman sandbox. :lol:

User avatar
EP_X0FF
Global Moderator
Posts: 4781
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Sandboxes (Discussion)

Post by EP_X0FF » Tue Apr 06, 2010 4:58 pm

Hello,

All discussions about sandboxes moved to separate thread.
If you have more links to online link checkers or online sandboxes feel free to post it here, sticky topic Sandboxes / Online Link checkers will be updated.

Thank you.
Ring0 - the source of inspiration

wealllbe20
Posts: 40
Joined: Tue Mar 16, 2010 8:08 pm

Re: Sandboxes (Discussion)

Post by wealllbe20 » Tue Apr 06, 2010 7:17 pm

had no idea, these techniques were so "kiddie"

Thanks guys for the clarification

Post Reply