Trust No Program

Wich is the most secure way to test a virus? (VM+Sandboxie?)

If it doesn't fit elsewhere, it goes here

Wich is the most secure way to test a virus? (VM+Sandboxie?)

Postby DarkBlood » Wed Apr 14, 2010 7:29 pm

Hello people, I want to know wich is the most secure way to test a virus/malware, specifically an executable file.

I suppose that a good way is running a Virtual Machine with Windows and Sandboxie with advanced settings "block access internet", "dropping acces rights", etc.

Give me your opinions, thank you! :oops:
DarkBlood
 
Posts: 10
Joined: Fri Oct 02, 2009 12:28 am
Location: Argentina (Venado Tuerto)

Postby DarkBlood » Wed Apr 14, 2010 11:24 pm

After hours of searching info, I discovered another way, "run an executable file remotely" with Comodo Malware Analysis, is wonderful, you can upload a file and then you can view all the changes that have been made, registry keys added or changed, files, memory, threads, processes, autostart elements, etc.

here is the web:
http://camas.comodo.com/cgi-bin/submit? ... ce2d3e13b3
DarkBlood
 
Posts: 10
Joined: Fri Oct 02, 2009 12:28 am
Location: Argentina (Venado Tuerto)

Postby okey? » Thu Apr 15, 2010 12:28 am

Here you find alot of solutions, and if you look around that forum you'll see many 0-day rootkits/more crap reversed and explained what they can do if you got em in your computer.

http://www.kernelmode.info/forum/viewto ... 3e56d0442c
okey?
 

Postby Buster » Thu Apr 15, 2010 12:59 am

DarkBlood wrote:After hours of searching info, I discovered another way, "run an executable file remotely" with Comodo Malware Analysis, is wonderful, you can upload a file and then you can view all the changes that have been made, registry keys added or changed, files, memory, threads, processes, autostart elements, etc.


You have an extended list of that kind of webs here:

http://bsa.sandboxie.info/frame3.htm

And in this forum you can find a program that using Sandboxie will do the same kind of analysis.
Buster
 
Posts: 2400
Joined: Mon Aug 06, 2007 7:38 pm

Postby DarkBlood » Thu Apr 15, 2010 4:44 am

okey? wrote:Here you find alot of solutions, and if you look around that forum you'll see many 0-day rootkits/more crap reversed and explained what they can do if you got em in your computer.

http://www.kernelmode.info/forum/viewto ... 3e56d0442c

That's a good post, thank you, specially the "Additional tools list" but I still prefer Sandboxie.


Buster wrote:You have an extended list of that kind of webs here:

http://bsa.sandboxie.info/frame3.htm

And in this forum you can find a program that using Sandboxie will do the same kind of analysis.

Yes, I already saw the subforum "contributed utilities", usually I don't need to detect changes because I use Total Uninstall in a VM without Sandboxie, but now I need it, because you can't easily see registry keys changed with Sandboxie. :(

So congratulations and thank you for your program (Buster Sandbox Analyzer) and one question, you recommend me your program or SandboxDiff? :D
DarkBlood
 
Posts: 10
Joined: Fri Oct 02, 2009 12:28 am
Location: Argentina (Venado Tuerto)

Postby Buster » Thu Apr 15, 2010 7:03 am

DarkBlood wrote:So congratulations and thank you for your program (Buster Sandbox Analyzer) and one question, you recommend me your program or SandboxDiff? :D


If you just want to check for registry changes SandboxDiff will be easier to learn to use.
Buster
 
Posts: 2400
Joined: Mon Aug 06, 2007 7:38 pm

Postby H3* » Thu Apr 15, 2010 1:04 pm

Sandboxie is the way to go whatever you do, test malware or been hit with exploits when you surf the net, just empty the sandbox and forget it. or try the lottery with anti-virus programs, just do a simple test on a few rootkits/irc-boot for example, test some weeks old samples or monts on http://www.virustotal.com/ let's say 37 of 42 of them shows you it's a boot that watching for you credit card? thats good to know :) but if you with the same sample open your favourite hexeditor and load that sample, then modifie it just for testing it again against those anti-virus, you'll see in hexeditor if not exe-packed names with "text, rdata, data, rsrc" or the like... anyway, I choose to modifie it like this (example, there is many ways to do this) "teSt, again, data, rsrc" and save it, extremely simple modification! then send it up to virustotal again, don't be surpriced.. sometimes this will looks like you built some new (censored) to go undetected from the scanners.
H3*
 

Postby Oneder » Thu Apr 15, 2010 3:04 pm

If you get a setup.exe for a rogue app then you will need to allow internet access in order to download all the components which will include the main exe.

Here on the real system I run samples through a default sandbox monitored by BSA with the real system virtualised with Returnil (older version).

If a sample won't run sandboxed then I use a VM and monitor the install with Zsoft Uninstaller and even then some samples won't run so I upload to Virus Total to get an idea of what I've got.

After running any samples sandboxed and I want to grab any droppers I use the free search utility "Agent Ransack" which can be set to search only through the testing sandbox for .exe, .dll or you can use a wildcard *.* to find all files created/dropped.

After terminating all processes in the testing sandbox then you can copy/cut and paste any samples you want out of the testing sandbox through Agent Ransack's gui to anywhere else, zip and archive or upload to your favourite antimalware vendor if they aren't detected for inclusion into their database.
Hunting the Hunter!
Oneder
 
Posts: 364
Joined: Tue Aug 30, 2005 1:19 pm
Location: Perth,West Oz

Postby Buster » Thu Apr 15, 2010 3:10 pm

Oneder wrote:Here on the real system I run samples through a default sandbox monitored by BSA with the real system virtualised with Returnil (older version).

If a sample won't run sandboxed then I use a VM and monitor the install with Zsoft Uninstaller and even then some samples won't run so I upload to Virus Total to get an idea of what I've got.


Why don´t you run Zsoft Uninstaller on the real system if you have it virtualized with Returnil?
Buster
 
Posts: 2400
Joined: Mon Aug 06, 2007 7:38 pm

Postby Oneder » Thu Apr 15, 2010 3:38 pm

I've been testing Sandboxie for a long time now and I just like using it as it's more convenient than firing up a VM and besides I have more trust in Sandboxie than any other security app.

Returnil is used only for my own silly little mistakes like accidently double clicking a sample taken out of the sandbox to desktop when I really meant to drag and drop to a rar archive.

And by the way, BSA is a great tool. 8)

Plus it's way easier to find any droppers in the sandbox than searching for them in a full system.
Hunting the Hunter!
Oneder
 
Posts: 364
Joined: Tue Aug 30, 2005 1:19 pm
Location: Perth,West Oz

Postby Buster » Thu Apr 15, 2010 3:48 pm

I´m not sure to understand you.

When a sample fails to run under Sandboxie, why don´t you run it on the real system?

Because you don´t trust Returnil or because is more difficult to find droppers?

I ask because I´m improving BSA and this question is related to the features I plan adding.

I´m "expanding" my business. Even if it´s "Sandbox Analyzer", I will add features to analyze stuff out of the sandbox.
Buster
 
Posts: 2400
Joined: Mon Aug 06, 2007 7:38 pm

Postby Oneder » Thu Apr 15, 2010 4:08 pm

Buster wrote:Because you don´t trust Returnil or because is more difficult to find droppers?

Returnil seems OK but I haven't tested it to the same extent as Sandboxie and I sort of feel committed to keep using Sandboxie as my main testing app to see if any holes exist and see if I can help in any way.

Even though harvesting any droppers is way easier in the sandbox it's not the main reason I use it.

The main reason I use Sandboxie and prefer Sandboxie over Returnil, VM's or any other security app is that I really like it.

By the way, below is an installer and main exe that you may want to have a look at for a newish rogue "Virus Protector" that seems to run OK sandboxed but Sandboxie throws up a few errors with or without BSA active.
hxxp://rapidshare.com/files/376205143/setups_VP.rar
Hunting the Hunter!
Oneder
 
Posts: 364
Joined: Tue Aug 30, 2005 1:19 pm
Location: Perth,West Oz

Postby Buster » Thu Apr 15, 2010 4:24 pm

So if I understand correctly you use a VM to run a sample when it doesn´t run under Sandboxie because you don´t have enough confidence on Returnil.

I´m working in BSA to make it able to analyze samples that don´t work under Sandboxie. I will use a third-party software to monitorize file/registry/processes/network. BSA will be able to process the information collected by this software.

This third-party software can run on a real system or in a VM machine. It´s always better to run a sample on a real system because some samples check for the presence of VMs meanwhile it´s more rare to find malware samples checking for software like Returnil or Deep Freeze.
Buster
 
Posts: 2400
Joined: Mon Aug 06, 2007 7:38 pm

Postby Oneder » Fri Apr 16, 2010 12:39 am

Buster wrote:So if I understand correctly you use a VM to run a sample when it doesn´t run under Sandboxie because you don´t have enough confidence on Returnil.

I´m working in BSA to make it able to analyze samples that don´t work under Sandboxie. I will use a third-party software to monitorize file/registry/processes/network. BSA will be able to process the information collected by this software.

This third-party software can run on a real system or in a VM machine. It´s always better to run a sample on a real system because some samples check for the presence of VMs meanwhile it´s more rare to find malware samples checking for software like Returnil or Deep Freeze.

I am confident enough to use Returnil for samples that won't run sandboxed but run ok under Returnil.

The need to reboot to clear an infection is a pain when you can just delete the contents of the sandbox.
Hunting the Hunter!
Oneder
 
Posts: 364
Joined: Tue Aug 30, 2005 1:19 pm
Location: Perth,West Oz

Postby Buster » Fri Apr 16, 2010 12:44 am

Oneder wrote:The need to reboot to clear an infection is a pain when you can just delete the contents of the sandbox.


Yes, yes, I know what you talk about very well. :wink:
Buster
 
Posts: 2400
Joined: Mon Aug 06, 2007 7:38 pm

Next

Return to Anything Else

Who is online

Users browsing this forum: No registered users and 4 guests