www.sandboxie.com :: View topic

Posted: Sun Jan 03, 2010 1:09 am

You´re welcome. Smile

Posted: Tue Jan 12, 2010 5:08 pm

Released Buster Sandbox Analyzer version 1.07

Change list:

Added detection of new malicious activities
Updated BSA.DAT
Updated LOG_API library

Posted: Tue Jan 12, 2010 6:20 pm

Past week I was looking for a program using a specified API to make some tests. I looked in a folder containing both harmless and malware files and chance wanted I picked a malware. Even more surprising was to discover that the malware was Sandboxie-aware, among other applications like VMWare, Syser Debugger, etc.

I injected LOG_API.DLL and the poor malware could not see it was being analyzed under Sandboxie. Twisted Evil

Anyone else have analyzed Sandboxie-aware malwares?

Posted: Fri Jan 15, 2010 6:39 am

neo wrote:

Tzuk and Buster,

Thanks and congratulations on your geat work. Now, if I could make a few feature requests for BSA...It'd be nice to be able to have:

- a pcap of network traffic

In version 1.08 I will introduce a packet sniffer in order to improve the information related to internet connections, but BSA will not produce a pcap of network traffic. I don´t consider this relevant.

Anyway in anyone is interested in pcap files I suggest installing the portable version of Wireshark and running it unsandboxed.

Posted: Mon Jan 18, 2010 5:08 pm

BSA 1.07 may produce wrong Analysis.TXT.

Meanwhile next version is not released this behaviour can be fixed editing BSA.DAT, lines 243, and modifying "->" for "<->".

Posted: Sat Jan 23, 2010 4:18 pm

I have seen in other forums people making questions related to BSA reports, specifically about this entry:

machine\software\microsoft\windows nt\currentversion\winlogon\Shell = x

That entry is created by Sandboxie so it must added to registry exclusion list, if not it will raise an alert on every malware analysis.

Posted: Sat Jan 23, 2010 5:12 pm

Then the easiest and best would be to exclude it by default.
Either built in the source or by an already existing RegistryExclude.TXT in the .rar archive.

Posted: Sat Jan 23, 2010 5:33 pm

Ruhe wrote:

Then the easiest and best would be to exclude it by default.
Either built in the source or by an already existing RegistryExclude.TXT in the .rar archive.

Yeah, I thought about adding a RegistryExclude.TXT including that entry in BSA package. Probably that´s what I´ll do.

Thanks for your opinion!

Posted: Sat Jan 23, 2010 7:58 pm

Released Buster Sandbox Analyzer 1.08.

Change list:

Added a packet sniffer
Updated BSA.DAT
Updated LOG_API library

Posted: Thu Jan 28, 2010 2:20 pm

Released Buster Sandox Analyzer 1.09.

Change list:

Added File Signatures feature
Updated LOG_API library

File Signatures provides information about the packer, if any, used to compress a file or the compiler used to build it.

Posted: Fri Jan 29, 2010 10:23 am

I forgot to mention in the manual that to avoid PEiD´s window appearing while using "File Signature -> Process a Folder" you must run PEID.EXE and uncheck "Stay on top" checkmark.

Posted: Tue Feb 02, 2010 1:37 am

A big thank you to Buster for this analyzer..

I was shopping on Usenet for some tax software... I found it and ran it in the sandbox.. As is my practice, I explored the installed files. Everything worked well.. No obvious signs of infection. No writing to windows.. No start/run entries... No files created in temp folders. But I still wasn't satisfied. I used Buster's program and reran the install...

The program logs were literally laced with created events, dns queries to Russia.. and many hidden processes.. Needless to say, I kept it in the sandbox. What's most interesting to me is that there were many users commenting on this app in Newzbin that their scanners showed it clean... There are perhaps hundreds of users with the finest AV apps money can buy.. and they downloaded, installed and asserted it was clean.

It seems some of the bad guys aren't laying obvious eggs for the scanners to discover...

Posted: Tue Feb 02, 2010 2:54 pm

Thanks, Cadillakin!

If the tax software was coded by a russian developer it may have a logic reason to query DNSs from Russia. Confused

Posted: Tue Feb 02, 2010 6:34 pm

Buster wrote:

Thanks, Cadillakin!

If the tax software was coded by a russian developer it may have a logic reason to query DNSs from Russia. Confused

Yeah. Perhaps Turbo-tax (Intuit) was secretly sold to young Russian hackers and the Russian coding sites. There were also some DNS queries to open-source websites in Russia.

Your tool is very helpful. It allows us to see nearly everything that is occurring during installation whereas AV scanners are mostly going to catch known viral-file installations. Many of the tools the hackers are using are legitimate Windows processes that they are creating within the install for the purpose of stealing information.. The AV scanners aren't normally catching these...

Posted: Wed Feb 03, 2010 5:18 pm

In another message thread, it was mentioned that Alvira A/V is giving a false positive report on BSA.
I thought that I would mention that Norton 2010 A/V has a component called "Sonar Protection" that doesn't like the Registry scanning/comparing that BSA does when analyzing an install.
It doesn't seem to be reacting to the name of the program (I think it was called RegDump.exe) as much as it is reacting to the actual behaviour that is occurring, when checking for Registry changes that were made during the install.
Since Norton stops that program, there will be no listing of Registry changes in the Report.
Norton's Sonar Protection needs to be temporarily disabled when using BSA.