Buster Sandbox Analyzer (c) 2009 by Buster

contact: malware.collector@gmail.com

ndex

!. ntroduction 2. "ros# contras# warnings and limitations $. nstallation and usage %. &onclusions '. Ac(nowledgements ). "rogram *istory

!. ntroduction
Buster Sandbox Analyzer is a tool t*at *as been designed to analyze t*e be*a+iour o, sandboxed -rocesses and t*e c*anges made to system and t*en e+aluate i, t*ey are malware sus-icious. .*e c*anges made to system can be o, se+eral ty-es: ,ile system c*anges# registry c*anges and -ort c*anges. A ,ile system c*ange *a--ens w*en a ,ile is created# deleted or modi,ied. /e-ending o, w*at ty-e o, ,ile *as been created (executable# library# 0a+ascri-t# batc*# etc) and w*ere was created (w*at ,older) we will be able to get +aluable in,ormation. 1egistry c*anges are t*ose c*anges made to 2indows registry. n t*is case we will be able to get +aluable in,ormation ,rom t*e modi,ied +alue (eys and t*e new created or deleted registry (eys. "ort c*anges are -roduced w*en a connection is done outside# to ot*er com-uters# or a -ort is o-ened locally and t*is -ort starts listening ,or incoming connections. 3rom all t*ese c*anges we will obtain necessary in,ormation to e+aluate t*e 4ris(4 o, some o, t*e actions ta(en by sandboxed a--lications. 2atc*ing all t*ese o-erations in an easy and sa,e manner is -ossible t*an(s to Sandboxie (*tt-:55sandboxie.com)# an excellent tool created by 1onen .zur. 6+en i, Buster Sandbox Analyzer7s main goal is to consider i, sandboxed -rocesses *a+e a malware be*a+iour# t*e tool can be used also to sim-ly obtain a list o, c*anges made to system# so i, you install a so,tware you will (now exactly w*at installs and w*ere. Additionally a-art o, system c*anges we can consider ot*er actions as malware sus-icious: (eyboard logging# end t*e 2indows session# load a dri+er# start a ser+ice# connect to nternet# etc.

All t*e abo+e o-erations can be considered as not malicious but i, t*ey are -er,ormed w*en it7s not ex-ected# t*at7s somet*ing we must ta(e in consideration. .*ere,ore it7s not only im-ortant to consider w*at actions are -er,ormed. t7s also im-ortant to consider i, it7s reasonable certain actions are -er,ormed. Actually t*ere are se+eral webs and so,tware doing t*e same tas( t*an Buster Sandbox Analyzer. 2eb ser+ices: *tt-:55www.0oebox.org (8oebox) *tt-:55anubis.iseclab.org (Anubis) *tt-:55www.norman.com5security9center5security9tools5submit9,ile (:orman) *tt-:55www.cwsandbox.org (Sunbelt7s &2Sandbox) *tt-:55www.t*reatex-ert.com (.*reat 6x-ert) *tt-:55camas.comodo.com5cgi;bin5submit (&omodo nstant <alware Analysis)

<alware analyzing so,tware: *tt-:55www.norman.com5enter-rise5all9-roducts5malware9analyzer5 norman9sandbox9analyzer (:orman Sandbox Analyzer) *tt-:55zerowine.source,orge.net (=ero 2ine)

2eb ser+ices are ,ree o, c*arge and can be used -ublicly. =ero 2ine is an o-en source -ro0ect but it *as been abandoned lately. :orman Sandbox Analyzer is a -ro,essional malware analyzer and it7s oriented to -ro,essionals.

2. "ros# contras# warnings and limitations

Buster Sandbox Analyzer *as -ros and contras as any ot*er malware analyzer. A list o, t*em:

"ros o, Buster Sandbox Analyzer 5 &ontras o, ot*er malware analyzers:

Buster Sandbox Analyzer will run on any com-uter w*ere Sandboxie is installed and wor(ing. :o nternet connection is re>uired. 2eb;based malware analyzers re>uire an nternet connection to be able to submit t*e sam-le to analyze and get analysis results.

Buster Sandbox Analyzer will be able to analyze any (ind o, ,ile ty-e (6?6# BA.# @BS# "/3# ?AS# /B&# ...). , t*e ,ile can be executed Buster Sandbox Analyzer will be able to analyze it. Csually malware analyzers 0ust -rocess "6 ,iles (2in$2 exectuables).

2it* Buster Sandbox Analyzer i, a library (/AA# B&?# ...) or ot*er so,tware is re>uired you can accom-lis* t*e re>uirement 0ust co-ying or installing w*ate+er it7s necessary to get t*e a--lication wor(ing -ro-erly.

Some ot*er malware analyzers 0ust run a -rogram at a time. , a library or anyt*ing else is re>uired t*e analysis will ,ail and t*ere is not*ing you can do about t*is.

2it* Buster Sandbox Analyzer i, a -rogram re>uires to clic( any button to continue or w*ate+er# e.g. installations and setu-s# you will be able to do it.

Bt*er malware analyzers are 4automatic4 (unattended) and can only analyze -rograms t*at -er,orm actions directly# wit*out *uman inter+ention. .*e analysis will sto- i, t*e -rogram waits ,or t*e user to clic( 4:ext4 or clic( in 4Acce-t t*e agreement4 c*ec(box e.g.

Buster Sandbox Analyzer s*ows in,ormation t*at can be clearly understood e+en by non ad+anced users. Bt*er malware analyzers usually s*ow a big amount o, in,ormation w*en t*e analysis ,inis*es. A ne+erending list o, used A" s can be a scaring t*ing ,or non ad+anced users and -robably t*ey will not be able to understand w*at t*ey are seeing.

Buster Sandbox Analyzer is ,ree o, c*arge. Dou 0ust must -ay ,or a Sandboxie license w*ic* is +ery c*ea- and it7s li,etime. 2eb;based malware analyzers are ,ree o, c*arge but t*e ser+ice can be discontinued at any time. =ero2ine is ,ree o, c*arge but seems discontinued and :orman Sandbox is really ex-ensi+e.

Buster Sandbox Analyzer can be con,igured. Dou can con,igure w*at ,ile ty-es to watc*# w*at registry entries must be considered as AutoStart locations# etc. Bt*er malware analyzers can not be con,igured by t*e user.

2it* Buster Sandbox Analyzer ad+anced users can en*ance t*e analysis running additional so,tware inside t*e sandbox to retrie+e more in,ormation# li(e <ar( 1ussino+ic*7s "rocess <onitor# or sni,,ers to catc* t*e in,ormation being transmitted. n ot*er malware analyzers t*e analysis can not be im-ro+ed.

 Buster Sandbox Analyzer is 2indows +ersion inde-endant. t can be used in 2indows 2000# 2indows ?"# 2indows @ista or 2indows E. Bt*er malware analyzer will analyze t*e malware only under 2indows ?"# 2indows @ista or 2indows E. , t*e malware is +ersion de-endant t*is will be a -roblem.

&ontras o, Buster Sandbox Analyzer 5 "ros o, ot*er malware analyzers:

Buster Sandbox Analyzer will not be able to watc* system c*anges made by -rograms t*at re>uire a dri+er installation. .*is is due Sandboxie7s limitation: installation o, dri+ers is not allowed by de,ault ,or security reasons.

Buster Sandbox Analyzer can not -rocess a batc* o, ,iles.

e.g. :orman Sandbox Analyzer allows -rocessing a ,older.

A common -roblem to all malware analyzers is t*at malwares can detect t*ey are being run under a malware analyzer en+ironment or +irtual mac*ine and abort execution. .*e only way to sol+e t*is -roblem would be using a -ri+ate malware analyzer so malware coders ignore it exists and are unable to add c*ec(ings to detect it.

2arnings:

Sandboxie# t*e en+irontment used by Buster Sandbox Analyzer# *as been designed s-eci,ically to a+oid c*anges to dis(. Sandboxie *as not been designed to a+oid in,ormation lea(s# li(e -rograms sending in,ormation ,rom your com-uter to nternet.

Sandboxie7s aut*or added se+eral ,eatures to a+oid t*is but t*ey are not enabled by de,ault. , you -retend using Buster Sandbox Analyzer wit* a de,ault Sandboxie7s installation you must realize t*at in,ormation could go out ,rom your com-uter to ot*er com-uter in nternet: mail account login details e.g. As any ot*er security so,tware Sandboxie is not !00F bullet -roo,. .a(e t*e measures you consider necessary to a+oid BS corru-tion5in,ection. suggest a dis( image solution. suggest you only *a+e installed Sandboxie as security solution in t*e com-uter you use to run Buster Sandbox Analyzer. Sandboxie stores sandboxed contents inside a ,older de,ined by t*e user in t*e real dis(. , you *a+e installed ot*er security solutions t*ey may inter,ere wit* Sandboxie7s o-erations.

Aimitations:

Buster Sandbox Analyzer7s limitations are im-osed by Sandboxie7s limitations# and o, course# by my own limitations as malware analyzer and -rogramming coder. Sandboxie *as next limitations: t will not run nati+ely in )% bits systems.

3or security reasons Sandboxie does not allow dri+er installation and system *oo(s. Sandboxie ,ails to sandbox certain executable ,iles# usually com-ressed ,iles.

$. nstallation and usage

nstallation:
Buster Sandbox Analyzer# or BSA to s*ort it# is a -ortable a--lication. .*is means t*at you 0ust need to co-y -ac(age contents to any ,older o, any dri+e and run it ,rom t*ere. 6dit Sandboxie7s con,iguration (o-en Sandboxie &ontrol ;G &on,igure ;G 6dit &on,iguration) and add next two lines to e+ery sandbox you will be using wit* Buster Sandbox Analyzer: n0ect/llHc:IbsaIlog9a-i.dll B-en2in&lassH.3ormBSA t s*ould loo( li(e:

J/e,aultBoxK &on,igAe+elH) .em-lateHAinger"rograms .em-lateH3ire,ox9"*is*ing9/irectAccess .em-lateHAuto1eco+er gnore 6nabledHy n0ect/llHc:IdosIbsaIlog9a-i.dll B-en2in&lassH.3ormBSA ... JCserSettings900000000K
2it*out t*at two lines t*e A" logger ,unction will not wor(.

Csage:

Sandboxie (+ersion $.%!.!0 or later) must be installed in t*e com-uter# con,igured as you consider rig*t# and wor(ing correctly be,ore using Buster Sandbox Analyzer. 4Automatically delete contents o, sandbox4 must be disabled. .o start wor(ing wit* BSA you must s-eci,y wit* w*at sandbox ,older you will wor(. Sandbox ,older must be de,ined at 4Sandbox ,older to c*ec(4. Dou will *a+e to s-eci,y sandbox ,olders only one time. 2*en you close BSA# used sandbox ,olders will be automatically sa+ed and will be a+ailable to be used on next run under 4Aast used sandbox ,olders4. 2*en you are ready -ress 4Start4 button. Buster Sandbox Analyzer will c*ec( i, sandbox ,older is em-ty. , it7s not it will -resent two o-tions: delete sandbox contents or ignore t*em and continue. :ote: Buster Sandbox Analyzer dro-s ,iles to dis( and ma(es calls to ot*er executables. A,ter clic(ing 4Start4 ot*er two buttons will be enabled: 4&*ec( "orts4 and 43ind di,,erences4. Also you will see a window wit* t*e A" calls. :ow it7s t*e moment to run under Sandboxie w*ate+er you want. , you are interested in a -ort com-arision you can clic( in 4&*ec( "orts4 button. &lic(ing t*at button is o-tional# not mandatory. 2*en you consider you ,inis*ed wit* sandboxed -rocesses you must terminate all -rocesses in Sandboxie: e.g. 1ig*t clic( in Sandboxie7s tray icon ;G .erminate All "rograms. .*en clic( 43ind di,,erences4. :ote: , w*en you clic( 43ind di,,erences4 Sandboxie is still sandboxing a -rocess# you will recei+e a warning. 8ust wait until all -rocesses are ,inis*ed in Sandboxie and clic( 43ind di,,erences4 again.

A,ter clic(ing 43ind di,,erences4 ot*er button will be enabled: 4<alware Analyzer4. , you are interested only in t*e c*anges made to system# not in t*e malware analysis# you can exit ,rom BSA. Dou will ,ind# w*en a+ailable# in BSA7s ,older# inside 41e-orts4 directory# next ,iles: 3ile/i,,..?.# 1eg/i,,..?.# "ort/i,,..?.# ABL9A" ..?. and 1e-ort..?.. .*ese ,iles are in -lain text and t*ey can be o-ened wit* any text editor. , you are interested in t*e malware analysis t*en clic( 4<alware Analyzer4 button. Buster Sandbox Analyzer will analyze re-ort ,iles and -er,orm se+eral c*ec(s loo(ing ,or malware be*a+iour. Buster Sandbox Analyzer will -resent a list o, sus-icious be*a+iours and will indicate i, t*ey were -er,ormed or not. &onsidering t*e amount o, -er,ormed sus-icious actions t*e ris( e+aluation can be: low# medium and *ig*# n Buster Sandbox Analyzer +ersion !.0 t*e ris( e+aluation system is still under construction and it will be re+ised in next releases. 2*en you close t*e malware analyzer results will be sa+ed to Analisis..?. under 41e-orts4 directory. Buster Sandbox Analyzer can exclude ,rom c*ec(ings user s-eci,ied ,iles# registry (eys# -orts and A" s. 3or t*is it was included t*e exclusion list ,eature. Dou can edit exclusion list ,iles using 46ditor ;G 6dit4. .*e exclusion list is a set o, strings t*at t*e user wants to be excluded ,rom results. All lines containing a string t*at a--ears in t*e exclusion list will be remo+ed ,rom re-orts. 3ile exclusion strings are not sandbox -at* relati+e. .*is mean you must s-eci,y t*e -at* or ,ile to exclude as it will a--ear in t*e real dis(. e.g.:

&:I-age,ile.sys would be o( &:ISandBoxI6xam-leCserI/e,aultBoxIdri+eI&I-age,ile.sys would be wrong

1egistry exclusion list uses relati+e strings. Sandboxie will 4translate4 MN6D9&C116:.9CS61 to userIcurrentI and MN6D9AB&AA9<A&M :6 to mac*ineI. .o a+oid mista(es wit* registry exclusions suggest you ta(e strings directly ,rom 1eg/i,,..?. an include t*em in exclusion list. /on7t ,orget to remo+e +alue (ey contents as t*ey may c*ange. 6.g. i, you want to exclude:

MN6D9AB&AA9<A&M :6Iso,twareI&lassesIididIurl0
you s*ould add to exclusion list:

mac*ineIso,twareI&lassesIididIurl0 would be o( *(ey9local9mac*ineIso,twareI&lassesIididIurl0 would be wrong mac*ineIso,tware I&lassesIididIurl0 H !69B)//O would not be wrong but only will be excluded i, t*e +alue (ey content is exactly t*at one.
:ote: 6xclusion list is case insensiti+e. :ote: Some registry and +alue (eys are modi,ied by Sandboxie# not by sandboxed -rocesses. suggest running &AA&.6?6# or any ot*er -rogram t*at does not modi,y t*e registry# and add strings ,rom resulting 1eg/i,,..?. to exclusion list. 3ile/i,,# 1eg/i,,# "ort/i,, and ABL9A" text ,iles are li(e raw data and are used by Buster Sandbox Analyzer to -er,orm se+eral c*ec(s. , you want to c*ec( w*at are t*e real c*anges made to system you must o-en 1e-ort..?..

Buster Sandbox Analyzer can be con,igured u- to a certain -oint. .*is can be ac*ie+ed editing BSA./A.. :ext ,ollows an ex-lanation o, t*e di,,erent sections in BSA./A.:

J3ile9.y-es9&o-ied92indowsK
n t*is section t*e user de,ines w*at ,ile ty-es (extensions) t*at get co-ied into 2indows ,older# in root or any sub,older# must raise an alert.

By de,ault .6?6# ./AA and .SDS are watc*ed. Bt*er interesting ,ile ty-es to watc* could be .@BS# .8S or .BA. 0ust to -ut some exam-les. 2*y o, t*isP <any malwares co-y t*eir com-onents into 2indows ,older:

I2indows I2indowsISystem$2 etc.

J3ile9.y-es9<odi,iedK
n t*is section t*e user de,ines w*at ,ile ty-es (extensions) w*ic* are modi,ied must be watc*ed. By de,ault .6?6 and ./AA ,iles are watc*ed. 2*y o, t*isP <odi,y an .6?6 is a ty-ical action o, +iruses.

J3ile9.y-es9&o-ied9AutoStartK
n t*is section t*e user de,ines w*at ,ile ty-es (extensions) must be watc*ed w*en co-ied to AutoStart locations. AutoStart location is e.g. startu- ,older. By de,ault .6?6 and ./AA ,iles are watc*ed. 2*y o, t*isP t7s ty-ical o, malwares to get t*eir com-onents included in autostart locations so t*ey run w*en 2indows loads.

JAutoStart93iles9Added9or9<odi,iedK
n t*is section t*e user de,ines w*at autostart ,iles must be watc*ed w*en added to dis( or modi,ied. By de,ault t*e list o, autostart ,iles is:

win.ini system.ini wininit.ini winstart.bat dosstart.bat autoexec.nt con,ig.nt autoexec.bat con,ig.sys autorun.in,
2*y o, t*isP Bt*er met*od used by malwares to get running w*en 2indows loads is adding t*eirsel, to one o, t*ose ,iles.

JAutoStart91egistry9&reated9or9<odi,iedK
n t*is section t*e user de,ines w*at registry autostart locations to watc*. .*e list o, autostart locations is a bit large so exam-le: will not list it *ere. 8ust as

Iso,twareImicroso,tIwindowsIcurrent+ersionIrun
2*y o, t*isP t7s +ery ty-ical o, malwares to add t*eirsel, into a registry autostart location so t*ey get loaded w*en 2indows boots. Dou can edit BSA./A. wit* any text editor as it7s in -lain text and include new ,ile ty-es to watc* or registry autostart locations. Dou can also remo+e or edit de,ault +alues.

:ote: A,ter a section 4J2*ate+erK4# you must include all t*e +alues and t*ere can not be an em-ty s-ace between t*em. .o se-arate sections you must include a s-ace between lines. .*is is correct:

J3ile9.y-es9&o-ied9AutoStartK .exe .dll .sys JAutoStart93iles9Added9or9<odi,iedK ...

.*is is wrong:

J3ile9.y-es9&o-ied9AutoStartK .exe .dll .sys JAutoStart93iles9Added9or9<odi,iedK ...

.*is is wrong too:

J3ile9.y-es9&o-ied9AutoStartK .exe .dll .sys JAutoStart93iles9Added9or9<odi,iedK ...

Buster Sandbox Analyzer *as a ,ew o-tions. An ex-lanation o, t*em ,ollows:

1estart: Csed to restart t*e analysis. /isable 6xclusion Aist: 6xclusion lists can be disabled indi+idually (,ile# registry# etc). , you are not interested in a--lying an exclusion list in one analysis you can easily disable t*e exclusion ,rom inside t*e tool. /o not resol+e C1As: By de,ault t*is o-tion is enabled. Dou can disable t*e o-tion and t*en BSA will try to resol+e " addresses.

%. &onclusions
Buster Sandbox Analyzer is a use,ul tool ,or -eo-le t*at want to (now i, a -rogram *as malware be*a+iour or ,or -eo-le interested in (nowing w*at7s installed and w*ere w*en t*ey run a -rogram. A big ad+antage o, Buster Sandbox Analyzer com-ared to ot*er systems doing t*e same tas( is t*at BSA can be better# more accurate and re-ort more or less in,ormation de-ending o, t*e user# meanw*ile ot*er analyzers will be as good or as bad as t*eir designers did it.

Suggestions# bug re-orts and greetings will be welcome at:

malware.collector@gmail.com

'. Ac(nowledgements
.*is tool would not *a+e been -ossible wit*out t*e su--ort o, 1onen .zur# tzu(# aut*or o, Sandboxie. would li(e to t*an( tzu( ,or *is great su--ort to Sandboxie7s users in general and me in -articular. would li(e to t*an( my ,riend 8uan0o ,or *is *el- wit* a -iece o, code. would li(e to t*an( /a+id =immer ,or A" logger and t*e su--ort. would li(e to t*an( Aadisla+ :e+ery ,or reg *i+e dum-er. would li(e to t*an( <ar( 8 ,or *is *el- o-timizing t*e A" logger /AA.

). "rogram *istory
@ersion !.0! 1eleased on 2Ot* :o+ember 2009 Added bac(door and (eylogger detection ca-abilities Added 6+ent and Ser+ice creation detection ca-abilities Added malware analyzer detection ca-abilities Added t*e o-tion o, +isualizing re-ort ,iles directly ,rom t*e tool 3ixed a bug related to t*e creation o, -ort di,,erences

@ersion !.0 1eleased on 2$t* :o+ember 2009 3irst o,,icial +ersion o, Buster Sandbox Analyzer