Page 1 of 32

Malware analysis - Buster Sandbox Analyzer

PostPosted:Fri Apr 23, 2010 5:07 pm
by Buster_BSA
Hi.

I would like to open a topic in this forum for Buster Sandbox Analyzer, my malware analysis tool.

For people that still don´t know what´s BSA, please take a look here: http://bsa.isoftware.nl/

The tool can be downloaded directly from: http://bsa.isoftware.nl/bsa.rar

Why another BSA topic? Well, I think in this forum I may find people that can help me to improve the tool.

Improve how? Well, I hope with ideas for new features and suggestions to improve the existing ones. Also testing the tool and finding bugs.

I just released BSA version 1.19 (web site is pendant of update) which improves the packet sniffer very much. The new version is able to capture the TCP trafific coming only from sandboxed applications. Also it will show what program generated the captured packet. Additionally it will be able to save to a .pcap file the captured traffic.

For forensic network analysis I added Pcap Explorer. It´s a feature that can open .pcap files and extract files from HTTP traffic and email attachments. It can follow a TCP session. It can save a new packet filtering by user rules.

A few weeks ago I contacted some malware researchers asking for suggestions of how to improve my tool. One of them, Lenny Zeltser (http://zeltser.com) criticed that some malwares, specially rootkits, may not run under Sandboxie or if they do, not all the actions will be logged due Sandboxie restrictions.

I think he did a very good critic so I´m actually working to improve my tool in that sense. My goal is to get BSA analyzing malwares that run out of the sandbox, in a real or a virtual system. Of course, it´s always a better idea to run malwares on a real system because many of them are aware of the presence of VMs.

In order to record malware actions Capture-BAT will be used: https://www.honeynet.org/node/315
Capture BAT is a behavioral analysis tool of applications for the Win32 operating system family. Capture BAT is able to monitor the state of a system during the execution of applications and processing of documents, which provides an analyst with insights on how the software operates even if no source code is available. Capture BAT monitors state changes on a low kernel level and can easily be used across various Win32 operating system versions and configurations.
Capture BAT logs file and registry changes to a file. Also logs process creation. It can even capture internet traffic.

The idea is that Capture BAT logs malware actions and BSA analyzes them.

So in next release (1.20) BSA will be able to analyze malwares that don´t run under Sandboxie´s supervision.

After version 1.20 is out I will be out of idea so I will need of your help to continue developing it.

I hope you can help to improve BSA.

Regards.

Re: Malware analysis - Buster Sandbox Analyzer

PostPosted:Thu May 06, 2010 12:22 pm
by Buster_BSA
Buster Sandbox Analyzer 1.20 has been released.

Download link: http://bsa.sandboxie.info/bsa.rar

Re: Malware analysis - Buster Sandbox Analyzer

PostPosted:Thu May 06, 2010 12:56 pm
by gjf
Unfortunately a lot of malware operates installing their driver. That is the limitation of such sandboxes. But anyway - thank's, I will try it.

Re: Malware analysis - Buster Sandbox Analyzer

PostPosted:Thu May 06, 2010 5:49 pm
by Buster_BSA
gjf wrote:Unfortunately a lot of malware operates installing their driver. That is the limitation of such sandboxes. But anyway - thank's, I will try it.
The objective of Buster Sandbox Analyzer is to tell if the analyzed application has a malicious behaviour.

Even if the malware can not run fully because Sandboxie will not allow it, the driver will be dropped to Windows folder (most probably) so this action will be noticed and reported as malicious.

Additionally the new version supports Capture-BAT log files.
Capture BAT is a behavioral analysis tool of applications for the Win32 operating system family. Capture BAT is able to monitor the state of a system during the execution of applications and processing of documents, which provides an analyst with insights on how the software operates even if no source code is available. Capture BAT monitors state changes on a low kernel level and can easily be used across various Win32 operating system versions and configurations.
https://www.honeynet.org/node/315

So you can run the malware under the supervision of Capture-BAT and pass the log created to BSA. BSA will create the report and the analysis from the log.

I hope that´s good enough. If not I´m always open to suggestions about how to improve BSA. ;)

Re: Malware analysis - Buster Sandbox Analyzer

PostPosted:Wed May 12, 2010 11:42 pm
by gjf
OK, it's pretty cool. But one suggestion. You give no ability to use some favorite addons such as HEX editors etc. For instance, BSA has own PE Explorer, and I like another one, own HEX Editor, and I like HIEW etc. It would be good to have ability to configure external instruments for such application as well.

Re: Malware analysis - Buster Sandbox Analyzer

PostPosted:Thu May 13, 2010 12:03 am
by gjf
And one question: is it possible to use relative path tom injected dll in Sandboxie config in the case of portable installation? I mean:
Code: Select all
InjectDll=App\Buster Sandbox Analyzerlogi.dll
OpenWinClass=TFormBSA
It would be useful for USB flash installation due to different drive letter in different systems.

Re: Malware analysis - Buster Sandbox Analyzer

PostPosted:Thu May 13, 2010 6:25 am
by Buster_BSA
gjf wrote:OK, it's pretty cool. But one suggestion. You give no ability to use some favorite addons such as HEX editors etc. For instance, BSA has own PE Explorer, and I like another one, own HEX Editor, and I like HIEW etc. It would be goof to have ability to configure external instruments for such application as well.
I will consider adding such feature. Thanks for the suggestion!

Re: Malware analysis - Buster Sandbox Analyzer

PostPosted:Thu May 13, 2010 6:28 am
by Buster_BSA
gjf wrote:And one question: is it possible to use relative path tom injected dll in Sandboxie config in the case of portable installation? I mean:
Code: Select all
InjectDll=App\Buster Sandbox Analyzerlogi.dll
OpenWinClass=TFormBSA
It would be useful for USB flash installation due to different drive letter in different systems.
I´m afraid that´s not possible. You can request that feature creating a post here:

http://sandboxie.com/phpbb/viewforum.php?f=4

Re: Malware analysis - Buster Sandbox Analyzer

PostPosted:Thu May 13, 2010 9:41 am
by gjf
OK, I've requested it there. Thanks for support.

Another issue: is this buggy output due to Cyrillic names caused by Sandboxie or it is BSA limitation:
Executing: c:\documents and settings\ам
рар\Ра л\bot.exe
LoadLibrary(kernel32.dll) [c:\documents and settings\ам
рар\Ра л\bot.exe]
LoadLibrary(shlwapi.dll) [c:\documents and settings\ам
Please note also that viewer menu in BSA calls text editor in sandbox. Why? Logs are safe and sandbox placement leads to some troubles in saving of them.

Re: Malware analysis - Buster Sandbox Analyzer

PostPosted:Thu May 13, 2010 11:50 am
by Buster_BSA
gjf wrote:Another issue: is this buggy output due to Cyrillic names caused by Sandboxie or it is BSA limitation:
Executing: c:\documents and settings\ам
рар\Ра л\bot.exe
LoadLibrary(kernel32.dll) [c:\documents and settings\ам
рар\Ра л\bot.exe]
LoadLibrary(shlwapi.dll) [c:\documents and settings\ам
It´s due Cyrillic names. I don´t think there is nothing to fix there.
gjf wrote:Please note also that viewer menu in BSA calls text editor in sandbox. Why? Logs are safe and sandbox placement leads to some troubles in saving of them.
That should not happen. Maybe you have something misconfigured in Sandboxie.

Tell me the steps to reproduce the problem, please. I will check if it´s a bug or you have something wrongly configured.