Buster Sandbox Analyzer for Sandboxie
Buster Sandbox Analyzer is a tool that has been designed to analyze the behaviour of processes and the changes made to system and then evaluate if they are malware suspicious.
The changes made to system can be of several types: file system changes, registry changes and port changes.
A file system change happens when a file is created, deleted or modified. Depending of what type of file has been created (executable, library, javascript, batch, etc) and where was created (what folder) we will be able to get valuable information.
Registry changes are those changes made to Windows registry. In this case we will be able to get valuable information from the modified value keys and the new created or deleted registry keys.
Port changes are produced when a connection is done outside, to other computers, or a port is opened locally and this port starts listening for incoming connections.
From all these changes we will obtain the necessary information to evaluate the "risk" of some of the actions taken by sandboxed applications.
Watching all these operations in an easy and safe manner is possible thanks to Sandboxie (http://sandboxie.com), an excellent tool created by Ronen Tzur.
Even if Buster Sandbox Analyzer's main goal is to evaluate if sandboxed processes have a malware behaviour, the tool can be used also to simply obtain a list of changes made to system, so if you install a software you will know exactly what installs and where.
Additionally apart of system changes we can consider other actions as malware suspicious: keyboard logging, end the Windows session, load a driver, start a service, connect to Internet, etc.
All the above operations can be considered as not malicious but if they are performed when it's not expected, that's something we must take in consideration. Therefore it's not only important to consider what actions are performed. It's also important to consider if it's reasonable certain actions are performed.
Actually there are several webs and software doing the same task than Buster Sandbox Analyzer.
Web services:
http://www.joebox.org
(Joebox)
http://anubis.iseclab.org
(Anubis)
http://www.norman.com/security_center/security_tools/submit_file|
(Norman)
http://mwanalysis.org/
(Sunbelt's CWSandbox)
http://www.threatexpert.com
(Threat Expert)
http://camas.comodo.com/cgi-bin/submit
(Comodo Instant Malware Analysis)
http://autovin.pandasecurity.my/?page_id=332
(Autovin - Automated Tools for Virus Incidents)
https://aerie.cs.berkeley.edu/
(BitBlaze Malware Analysis Service)
http://eureka.cyber-ta.org/
(EUREKA Malware Analysis)
http://www.xandora.net/xangui/
(Xandora Binary Analyser)
http://malbox.xjtu.edu.cn/
(Malbox)
http://vicheck.ca/
(ViCheck)
Malware analyzing software:
http://www.cuckoobox.org
(Cuckoo)
http://www.norman.com/enterprise/all_products/malware_analyzer/
(Norman Sandbox Analyzer)
http://cert.at/downloads/software/minibis_en.html
(Minibis)
http://zerowine.sourceforge.net
(Zero Wine)
http://zerowine-tryout.sourceforge.net/
(Zero Wine Tryouts)
Web services are free of charge and can be used publicly.
Zero Wine is an open source project but it has been abandoned lately.
Zero Wine Tryouts seems to be a resumed version of Zero Wine.
Norman Sandbox Analyzer is a professional malware analyzer and it's oriented to professionals.
Buster Sandbox Analyzer is freeware. If you like this software, please, buy a license of Sandboxie.
Homepage
Forum
1.37 beta 1
The changes made to system can be of several types: file system changes, registry changes and port changes.
A file system change happens when a file is created, deleted or modified. Depending of what type of file has been created (executable, library, javascript, batch, etc) and where was created (what folder) we will be able to get valuable information.
Registry changes are those changes made to Windows registry. In this case we will be able to get valuable information from the modified value keys and the new created or deleted registry keys.
Port changes are produced when a connection is done outside, to other computers, or a port is opened locally and this port starts listening for incoming connections.
From all these changes we will obtain the necessary information to evaluate the "risk" of some of the actions taken by sandboxed applications.
Watching all these operations in an easy and safe manner is possible thanks to Sandboxie (http://sandboxie.com), an excellent tool created by Ronen Tzur.
Even if Buster Sandbox Analyzer's main goal is to evaluate if sandboxed processes have a malware behaviour, the tool can be used also to simply obtain a list of changes made to system, so if you install a software you will know exactly what installs and where.
Additionally apart of system changes we can consider other actions as malware suspicious: keyboard logging, end the Windows session, load a driver, start a service, connect to Internet, etc.
All the above operations can be considered as not malicious but if they are performed when it's not expected, that's something we must take in consideration. Therefore it's not only important to consider what actions are performed. It's also important to consider if it's reasonable certain actions are performed.
Actually there are several webs and software doing the same task than Buster Sandbox Analyzer.
Web services:
http://www.joebox.org
(Joebox)
http://anubis.iseclab.org
(Anubis)
http://www.norman.com/security_center/security_tools/submit_file|
(Norman)
http://mwanalysis.org/
(Sunbelt's CWSandbox)
http://www.threatexpert.com
(Threat Expert)
http://camas.comodo.com/cgi-bin/submit
(Comodo Instant Malware Analysis)
http://autovin.pandasecurity.my/?page_id=332
(Autovin - Automated Tools for Virus Incidents)
https://aerie.cs.berkeley.edu/
(BitBlaze Malware Analysis Service)
http://eureka.cyber-ta.org/
(EUREKA Malware Analysis)
http://www.xandora.net/xangui/
(Xandora Binary Analyser)
http://malbox.xjtu.edu.cn/
(Malbox)
http://vicheck.ca/
(ViCheck)
Malware analyzing software:
http://www.cuckoobox.org
(Cuckoo)
http://www.norman.com/enterprise/all_products/malware_analyzer/
(Norman Sandbox Analyzer)
http://cert.at/downloads/software/minibis_en.html
(Minibis)
http://zerowine.sourceforge.net
(Zero Wine)
http://zerowine-tryout.sourceforge.net/
(Zero Wine Tryouts)
Web services are free of charge and can be used publicly.
Zero Wine is an open source project but it has been abandoned lately.
Zero Wine Tryouts seems to be a resumed version of Zero Wine.
Norman Sandbox Analyzer is a professional malware analyzer and it's oriented to professionals.
Buster Sandbox Analyzer is freeware. If you like this software, please, buy a license of Sandboxie.
Homepage
Forum
1.37 beta 1
2 comments:
Nice info.
Released Buster Sandbox Analyzer 1.37.
Changes:
* Improved hiding feature
* Updated BSA.DAT
* Removed evaluation risk feature
* Fixed several bugs
Part of the improved hiding feature is the possibility of naming LOG_API.DLL with the file name you prefer.
Evaluation risk was removed from malware analysis report because it was
too misleading. Probably I will reintroduce the feature in the near
future but having other format.
Post a Comment
We would appreciate if you as readers of our blog, show us some feedback by signing up to this site with Friend Connect.
This will encourage us to publish updates in the future.