nCircle.com >> 360 Security

« Firefox 2.0 | Main | SCADAGard SIG To Be Established »

CWSandbox Review

Lately, I've been more and more interested in malware analysis... I've been gathering viruses I receive and watching how they operate inside VMs. Due to this interest I've added more blogs to my seemingly never-ending list of RSS Feeds... Today a very interesting one came across the wire. Sunbelt Software had a blog posting announcing the official launch of CWSandbox. I must say, the software looks pretty damn cool.

Essentially the malware that you submit is executed in what I'm guessing is a VM environment. The software operates by injecting itself in a manner similar to how malware injects itself and has multiple means of protecting against detection by the malware. CWSandbox then monitors the file system, registry and other applications along with network activity and extracts important data (FTP or IRC login data).

One of the more interesting things is that the analysis continues. If I upload Malware A which then extracts or downloads Malware B and Malware C, CWSandbox will follow both of those applications and their execution to see exactly what they do.

In order to test this software, I went with a variant of the Stration Virus. It's something that I've followed previously and taken a look at a bit in the past ( Links to information I've posted on the subject: 1 | 2 | 3).

It initially took a few attempts to upload the malware. Every time I went to submit it, my AV would step in and wipe the file, so I was constantly being returned to this report. I knew something was off because the file size was reported as 1 byte. I finally put the malware into a VM and had no problem submitting it. The time from submission to the email of the analysis was about 3 minutes... This was fairly impressive. Although I wonder if perhaps the quickness of the analysis would cause them to miss anything that is time delayed or if they wait until all the processes finish their execution.

I had the option of receiving the analysis via email in either text or html. I opted for the html version which is essential what is presented on their website if you punch in the id to the ViewMalware page ( Example: Stration Sample - ID 3247 ). When you visit the page, you then have the option of downloading a Cab file and the Analysis in XML. The cab file contains the xml analysis and also a series of logs (process info) and mappings for each of the processes that ran, including a collection of dat files, which I assume are the files that were touched by the malware (they are stored in proc_X (where X is the number of the process) folders and inside those the dat files are in a created_files folder).

For each process you receive a detailed list that includes (where applicable):


  • Parent ID

  • Process ID

  • File Name (CWSandbox creates the file as .exe when you upload it)

  • MD5

  • Start Reason (The initial upload was AnalysisTarget, all others seemed to be CreateProcess)

  • Termination Reason (I saw timeout and NormalTermination as two of the possible reasons)

  • Start Time

  • Stop Time

  • Detection (Results from Various AV Software: Authentium Command AV, BitDefender AV, Microsoft Malware Protection and Norton AV)

  • DLL-Handling

  • FileSystem ( Files Created, Files Opened and a Chronological ordering of the actions)

  • Process Management ( Command line execution and which user executed them)

  • Mutexes (Created Mutexes)

  • Registry (Displays Reads, Enums and Creation/Open)

  • Service Management (Services that were touched)

  • System Info (In this case it was Get System Directory and Get Computer Name

  • User Management (Get User Name requests, User Impersonation)

  • Network Activity ( DNS Lookups (with resolution), UDP and TCP Requests)

One thing to also note is that you will receive different messages if you're uploading something that has been seen previously vs a file that they haven't analyzed before. One will give you a direct link to the previous analysis, the other will tell you the file has been queued and you'll receive an email when the scan is complete...

While I had some frustration at first due to the previous results coming up, after I realized what was happening (reading instead of just quickly clicking the link), I was rather impressed.

I can see plenty of practical purposes for this product... and the fact that they do have it freely available makes it a nice addition for any research... I definitely give it two thumbs up.

Posted by Tyler Reguly on October 24, 2006 9:58 AM |

Search


About

This page contains a single entry from the blog posted on October 24, 2006 9:58 AM.

The previous post in this blog was Firefox 2.0.

The next post in this blog is SCADAGard SIG To Be Established.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]