hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
GovernmentSecurity.org > System Security > Trojan & Virus Errata
sk3tch
Dec 3 2004, 12:03 AM
I submitted yet another new SDBot variant to a bunch of vendors today and Norman responded (they usually never do) with a link to their online analysis tool:

http://sandbox.norman.no/live_4.html

Basically you can upload any file or files, toss in an email address, and in about 5 minutes or less you have an analysis like this one in your inbox:

QUOTE
Norman Scanner Engine 5.70. 24
Sandbox 05.70, dated 12/11-2004

Your message ID (for later reference): *edited*

Informations.txt                                                                                                                                    .exe : Not detected by sandbox (Signature: Netsky.Z@mm)
[ General information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
    * File might be compressed.
    * File length:        31491 bytes.

[ Changes to filesystem ]
    * Creates file C:\WINDOWS\Jammer2nd.exe.
    * Creates file C:\WINDOWS\pk_zip_alg.log.
    * Creates file C:\WINDOWS\pk_zip1.log.
    * Creates file C:\WINDOWS\pk_zip2.log.

[ Changes to registry ]
    * Creates value "Jammer2nd"="C:\WINDOWS\Jammer2nd.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".

[ Process/window information ]
    * Will automatically restart after boot (I'll be back...).
    * Creates a mutex (S)(k)(y)(N)(e)(t).


© 2004 Norman ASA. All Rights Reserved.
The material presented is distributed by Norman ASA as an information source only.

Sent by *edited*. Processed *edited* at *edited* POP3: sandbox


Pretty freakin' cool...I have to really give props to Norman for making this available on the web to the general public...even if security geeks like myself are the only ones that end up using it!
satknis
Dec 3 2004, 12:56 PM
ok nice, but this does only work with stuff that is known!
does anyone know some tools to get this information when i run a programm?
i would to test some apps under vmware and i need every infortmation about
the programm that i run!

thx for answers
sk3tch
Dec 4 2004, 09:16 AM
You can get the same information from any file you submit...depending on it's behaviour. Obviously it cannot determine the malware name (if it is indeed malicious) but this is a sandbox - so it analyzes all files.
strasharo
Dec 4 2004, 12:50 PM
It would be nice if there was such tool for offline analysis, i mean like a separate program so you can install it and make your work when you are offline. I tested the Norman Virus Control which claimed to have the same sandbox, but it had only one checkbox to pass the scanned files in the sandbox, but it doesn`t give such analysis like that on the on-line version. If anyone knows such tools it will be nice to share with us. smile.gif

Have a nice day! smile.gif
satknis
Mar 7 2005, 11:32 AM
hmm nobody knows a offline sandbox?
it would be nice to see what some apps do,
like worms or bots.

please help
i can't find anything smiliar to the norman sandbox.
andydis
Mar 7 2005, 01:53 PM
I work for a Norman reseller and we are told that the lastest sandbox technology will be incorporated in version 5.9 due for release in april
skydance
Mar 7 2005, 04:01 PM
very nice this online sandbox, ive just submited a file not detected by KAV and they say its unknown malware (W32/Downloader) :-)

as an offline sandbox i use InstallRite and ethereal, or a combination of monitors from sysinternals and a sniffer.
satknis
Mar 7 2005, 09:26 PM
andydis isn't the norman sandbox tech. incorporated in the norman antivirus ?

what i search is just a programm witch monitors all activites from a application,
maybe with in a virtual os
like safelaunch and NuclearAnalyze tool from nuclearwinters, but better than both.
sk3tch
Mar 8 2005, 08:23 AM
Norman Virus Control does not utilize the Sandbox technology in realtime. It does, however, utilize it with on-demand scanning.

This effectively makes the feature useless for desktop AV applications.

This is with version 5.8 (current one out). If 5.9 will incorporate it...great...because Norman is one of the most infected AV apps in my honeypot deployment.

andydis
Mar 8 2005, 02:40 PM
QUOTE
because Norman is one of the most infected AV apps in my honeypot deployment.



sk3tch , i would love to have a gander at that sometime???,,


Norman 5.9 i am told is going to be brilliant, yes 5.8 still misses alot of stuff, including most hex'd RATS and even some stuff that Stinger (mcaffee) managies to find.

stinger + Norman + disable system restore + norman adaware (yes i said NORMAN ADAWARE!)
I have found to be a brilliant combo to keep pc's clean, every so often running rootkitdector on servers

Other norman products include Norman Personal firewall, Norman for exchange, all freely avaliable to download on demo from www.normanuk.com

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.