Page 1 of 3

Sandboxes (Discussion)

PostPosted:Sat Mar 20, 2010 12:38 am
by Jaxryley
In order to use Buster Sandbox Analyser you will need my favourite security app in being Sandboxie!
http://www.sandboxie.com/index.php?DownloadSandboxie

Re: Sandboxes / Online Link checkers

PostPosted:Wed Mar 24, 2010 7:04 pm
by __Genius__
Are HBGary Fastdump & Flypaper free to use!?

Re: Sandboxes / Online Link checkers

PostPosted:Wed Mar 24, 2010 8:39 pm
by Meriadoc
free for non-commercial use - HBGary

Re: Sandboxes / Online Link checkers

PostPosted:Tue Apr 06, 2010 1:32 pm
by wealllbe20
Their are many crypters out their that block online and local sandboxes.

hxxp://www.level-23.com/foro/showthread.php?t=13153


many many more crypters out their.

These crypters do work.

If you try to run this anything crypted by these crypters inside a virtual machine or you are using sandboxie they will just simply not execute.

It makes it hard to do a full analysis on these specific types of malware.

Re: Sandboxes / Online Link checkers

PostPosted:Tue Apr 06, 2010 2:30 pm
by NOP
They are kiddie crypters that generally crypt kiddie trojans, nothing interesting there for a malware researcher.

Re: Sandboxes / Online Link checkers

PostPosted:Tue Apr 06, 2010 2:58 pm
by wealllbe20
They may be used by kiddies, but when these crypters/packers have things that include bypassing windows uac, blocking sand-boxing and anti-disassembler attributes associated with them.

It's makes some of these malware testing websites and labs useless and people who examine malware on a higher level should know about such things.

Re: Sandboxes / Online Link checkers

PostPosted:Tue Apr 06, 2010 3:22 pm
by EP_X0FF
Most so called anti* tricks based on analyzing hardware components of system (driver/process names of VmWare/VPC/VBox) or searching for specific dll's (as in case of sandboxie).

Re: Sandboxes / Online Link checkers

PostPosted:Tue Apr 06, 2010 3:29 pm
by NOP
When I find a sample that PEiD recognizes as Microsoft Visual Basic 5.0 / 6.0 or Borland Delphi 6.0 - 7.0, after a quick look to check whether it is actually a kiddie crypter I just bin it. They're all based off the same loading code and usually other open source code.

If the average user tests one of these files in a sandbox, and it comes up with absolutely nothing, they should be suspicous.
Most so called anti* tricks based on analyzing hardware components of system (driver/process names of VmWare/VPC/VBox) or searching for specific dll's (as in case of sandboxie).
Some just check things like the username, like CurrentUser to detect Norman sandbox. :lol:

Re: Sandboxes (Discussion)

PostPosted:Tue Apr 06, 2010 4:58 pm
by EP_X0FF
Hello,

All discussions about sandboxes moved to separate thread.
If you have more links to online link checkers or online sandboxes feel free to post it here, sticky topic Sandboxes / Online Link checkers will be updated.

Thank you.

Re: Sandboxes (Discussion)

PostPosted:Tue Apr 06, 2010 7:17 pm
by wealllbe20
had no idea, these techniques were so "kiddie"

Thanks guys for the clarification