Sandbox Malware Analyzer

Home

Products

Technology

Case studies and News

About Norman

Buy or Try

Microsites » SandBox Malware Analyzer » Case studies and News » Products » Norman SandBox Analyzer - product information

Norman SandBox Analyzer - product information

Add to My Norman Bookmarks

Sandbox Analyzer

Product description

Overview

The Norman SandBox Analyzer is a utility meant to automate, simplify, and speed up the information gathering process when analyzing malware. The SandBox Analyzer enables users to analyze file behavior, actual actions performed by the file and even extracts files created on the "SandBox HD" by the analyzed file in a much faster and more effective way than ever before, thus reducing the need for manpower and actual time needed to analyze the suspicious files.

Norman SandBox Analyzer can be used as a command line application making it easier to be built into existing solutions, or with a regular user interface giving a fast and efficient view and management of files being analyzed.

How does it work?

Norman SandBox Analyzer provides a comprehensive analysis of any executable file action. After the file has been processed it generates reports with in-depth description of file actions in an API log view and a summary report.

The summary report includes the following information blocks:

File/Malware categories, i.e. W32/Backdoor, W32/Worm, W32/Downloader, etc.
Changes to the computers file system.
Changes in the registry and system settings.
Network Services details
Processor and window information

Norman SandBox Analyzer in more detail

Operation

To operate Norman SandBox Analyzer is quite easy, just install the analyzer in a preferred folder on the computer you want to use for analysis. Tell Norman SandBox Analyzer the path of the file(s) you want to analyze and press enter. Depending on the parameter you have entered the output will be made available in just a few seconds. Parameters include possibility to create full API log, SandBox summary and extraction of all files created by the file analyzed from the SandBox “harddrive"

The SandBox Analyzer can also handle a large number of files, generating the requested information without the need of user intervention. As the virus unfolds, the proactive solution will monitor and assess the behavior of the suspicious file.

Norman SandBox is the core component of Norman SandBox Analyzer, this module is compatible with Windows functions such as Winsock, Kernel and MPR and also supports network and Internet functions like HTTP, FTP, SMTP, DNS, IRC, and P2P.In other words it is a fully simulated computer, isolated within the NSA application.

The simulator uses full ROM BIOS capacities, simulated hardware, simulated hard drives, etc. This simulator emulates the entire bootstrap of a regular system at boot-time, starting by loading the operating system files and the command shell from the simulated drive. This drive will contain directories and files that are necessary parts of the system, conforming to system files on physical hard drives.

The file to be analyzed is loaded into the simulated hard disk and will be started in the simulated environment. Inside the simulated environment the file may do whatever it wants. It can infect files. It can delete files. It can copy itself over networks. It can connect to an IRC server. It can send e-mails. It can set up listening ports. Every action it takes is being registered by the antivirus program, because it is effectively the emulator that does the actions based on the code in the file. No code is executed on the real CPU except for the antivirus emulator engine; even the hardware in the simulated PC is emulated.

The issue is to figure out what the program would have done if it had been allowed to run wild on an unprotected machine. After the file has done its acts, an API log and a summery rapport will be generated to give in clear text information about the files action.

SandBox Analyzer - GUI

The report

The Norman SandBox Analyzer summary is a description of the files behavior and action performed in the target victim’s object and elements setup to enable external communication.

This report is a subset of the API log that generates a detailed overview of the files action command by command.

Example of a NSA summary

D:VIRUSMYTEST.EX_ : W32/Backdoor
====> Sandbox output:
[ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO -
REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* Display message box (sample) : sample, te amo!.
* Display message box (KERN32) : KERN32, te amo!.
* File length: 58368 bytes.
* MD5 hash: 60a8d2e41147f48364e1eb3729ac53fb.

[ Changes to filesystem ]
* Deletes file C:WINDOWSSYSTEM32kern32.exe.
* Creates file C:WINDOWSSYSTEM32kern32.exe.

[ Changes to registry ]
* Creates key "HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce".
* Sets value "kernel32"="C:WINDOWSSYSTEM32kern32.exe -sys" in key "HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce".

[ Changes to system settings ]
* Creates WindowsHook monitoring keyboard activity.

[ Network services ]
* Connects to "200.223.3.130" on port 6667 (TCP).
* Connects to IRC server.
* IRC: Uses nickname CurrentUser[FRK][19].
* IRC: Uses username SErVERINO.
* IRC: Joins channel #Sl4cK_r0oT.

[ Process/window information ]
* Creates a mutex ZZM9H9YY.
* Creates a mutex SrVFrK.

This is a short example of an API log

If you look closely you will see that the API log is from the same file as the SandBox summary above.

KERNEL32!CopyFileA ("C:WINDOWSSYSTEM32KERN32.EXE",
   "C:WINDOWSSYSTEM32kern32.exe",0x00000000)
KERNEL32!GetFileAttributesA ("C:WINDOWSSYSTEM32kern32.exe")
KERNEL32!GetFileAttributesA ("C:WINDOWSSYSTEM32kern32.exe")
KERNEL32!CreateFileA ("C:WINDOWSSYSTEM32KERN32.EXE",0x80000000,
   0x00000000,0x00000000,0x00000003,0x00000000,0x00000000)
KERNEL32!SetFileAttributesA ("C:WINDOWSSYSTEM32kern32.exe",0x00000006)
ADVAPI32!RegCreateKeyExA (0x80000002,"SoftwareMicrosoftWindows
   CurrentVersionRunOnce",0x00000000,NULL,0x00000000,0x000F003F,0x00000000,
   0x4FD01154,0x00000000)
ADVAPI32!RegSetValueExA (0x7200214B,"kernel32",0x00000000,0x00000001,
   "C:WINDOWSSYSTEM32kern32.exe -sys",0x00000023)
ADVAPI32!RegCloseKey (0x7200214B)
KERNEL32!CreateMutexA (0x00000000,0x00000000,"SrVFrK")
KERNEL32!GetLastError ()
KERNEL32!CreateThread (0x00000000,0x00000000,0x004027B9,0x74116F00,
   0x00000004,0x74116F00)

System requirements

Pentium III or higher
512 Mb Ram or more
At least 50 Mb free hard drive space
Operating System: Windows 2000/2003 or XP.

More information - testing or purchasing the product

Click here and fill in the form to purchase or test the product, or to request more information.

Click Norman SandBox Analyzer - Return on investment (ROI) calculator if you are interesting in calculating your savings compared to using analysts.

EXAMPLE FILES - SANDBOX ANALYZER

These links open in separete browser windows

>> Lovegate.AR (API log)
>> Lovegate.AR (Summary)
>> Downloader1.ex_ (API log)_
>> Downloader1.ex_ (Summary)
>> Backdoor1.ex_ (API log)
>> Backdoor1.ex_ (Summary)
>> Spyware2.ex_ (API log)
>> Spyware2.ex_ (Summary)

TECHNICAL INFORMATION - SANDBOX ANALYZER

>> Product sheet (PDF)

>> User manual (PDF)

>> Frequently Asked Questions

>> Comparison chart with Online Analyzer and Analyzer Pro

SUPPORT

>> Support form Norman SandBox Malware Analyzer products

ROI CALCULATOR

>> Return on investment (ROI) calculator for Norman SandBox Analyzer

OTHER SANDBOX PRODUCTS

>> Norman SandBox Online Analyzer

>> Norman SandBox Analyzer Pro

>> Norman SandBox Reporter

Norman is one of the world’s leading companies within the field of data security. With products for antivirus (virus control), personal firewall, antispam, and encryption, the company plays an important role in the data industry.