Norman SandBox Analyzer Pro is a console GUI application designed to analyze WIN 32 PE executables and other file types containing embedded executable exploit code. When working with Norman SandBox Analyzer Pro the analyst has an extensive range of features to quickly analyze and manipulate the SandBox environment and target code. The analyst will be able to explore files and changes made to the simulated SandBox OS to get the full view of the impact executing the respective file would have had if it was run on a “real computer".
Norman SandBox is the core component of Norman SandBox Analyzer Pro. This module is compatible with Windows functions such as Winsock, Kernel and MPR and also supports network and Internet functions like HTTP, FTP, SMTP, DNS, IRC, and P2P. In other words it’s a fully simulated computer, isolated within the Norman SandBox Analyzer Pro application.
The file to be analyzed is placed on the simulated hard disk and is started in the simulated environment. Inside the simulated environment the file may do whatever it wants. It can infect files. It can delete files. It can copy itself over networks. It can connect to an IRC server. It can send emails. It can set up listening ports. Every action it takes is being registered by Norman's program, because it is effectively the emulator that does the actions based on the code in the file. No code is executed on the real CPU except for the antivirus emulator engine; even the hardware in the simulated PC is emulated.
Norman SandBox Analyzer Pro allows the user to do a comprehensive analysis of files. The functions available to the user when doing analysis include:
Complete control
SandBox Analyzer Pro is designed as a debugging application specifically for malicious code, Norman understands the need to view, interact, and manipulate executable code and its behavior. The SandBox software, hardware such as registers, cpu, and memory, and network activity can all be completely controlled by the analyst.
Disassembly
In the disassembly window, the analyst can view see the dissembled code of each application. Traditional standard debugging features are available to the analyst, including the ability to step and parse the code, insert and modify instructions, and set breakpoints. Advanced debugging features like the ability to back up, or simulate in reverse are enabled in Analyzer Pro.
Memory Dump
The Memory Dump View can show any memory area. The user may browse to any memory address, set breakpoints on memory, and view memory as text, dwords, bytes, or shorts. As with all views, the information from this view may be searched, copied, and saved to logs.
API Log and Summary
The SandBox Summary report gives a quick text based overview of potentially malicious actions taken by the malware. The more detailed API log window gives the user a full list of system calls for each application. These views give the analyst a high level overview of the file actions. Though this information is often adequate for many investigations, it gives the analyst valuable, time saving clues to quickly debug the code at a lower lever.
Live Internet Connection
Live Internet Communicator (LIC) allows any connection or application tested inside Analyzer Pro to access the Internet and monitor and analyze the resulting network activity.
The LIC functionality enables the analyst to examine the application as it downloads active content like spyware, url addresses, authentication information, etc. The Analyzer Pro can even analyze Internet communication between bots and the command and control (C&C) botnet server. When the C&C is talking to the slave bot, Analyzer Pro allows the analyst to intercept and modify the network packets as they are sent and received, providing the transparency to explore the full potential of such threats.
The configuration and operation of the LIC functionality can be done through a network rule editor or in real time. This instructs the LIC what to do with specific nodes, addresses, applications or protocols. The rules can be added, edited or removed, acting as a filter giving customized information required.
Exploit Code
SandBox Analyzer products now have the ability to not only detect and analyze executable code, but also exploit code concealed in Microsoft Office as well as other popular exploitable file formats. Arbitrary code execution is becoming a greater problem every day, especially when they come in the form of a zero day exploit. The ability to quickly understand these exploits using Norman’s SandBox technology saves analysts a great deal of effort, not to mention the avoidance of impact this will have upon users and organizations.
Advanced Packer Support
Packers are increasing in use, with trends moving toward more complex protectors like Themida, Enigma, and Slovak Protector(SVKP). These technologies are readily available as both free and commercial applications, making it easy for any malware author not skilled enough to write self defending codes themselves, to build it into their malicious applications. In general, packers and protectors are not a problem for SandBox. As a fully emulated Windows system, the executable will simply run through the protection mechanisms as it would on real system.
Rootkits
Norman SandBox is able to detect rootkit activity when malicious code attempts to inject its own code or custom behavior into other applications, drivers, or the host SandBox operating system.
