These days, when many software vendors are ready to do anything to increase their incomes, including embedding adware and other unwanted programs in their products for advertising and marketing purposes, to analyse a program carefully before to run it, it’s a normal and desirable behaviour install it fully in the computer. I’m talking about less-known programs, sometimes spreaded as freeware, sometimes advertised as program that will do “miracles” in the computer and finishing dropping adware and spyware in the computer of a naïve user.
Using virtual environments as a VMware machine, or a sandbox which will emulate an Operating System are the preffered methods for analysis because they give the “peace of mind” to the researcher, the real computer opearting system can not be affected in any way by an eventual malware. Here I must mention that sometimes the malware creators are including checking code for sandboxes(e.g. Sandboxie), online emulators(e.g. http://anubis.iseclab.org/) or virtual machines(e.g. VMware) and in the case that one are detected, the program will kill its processes immediately in a try to hide their actions in an infected computer.
Maybe not for all, but for a few of you, logging the actions a program does is fascinating, “the hacking”(white-hat hacking anyway) is in human nature and the analysis are the main part of preventing computer infections.
Today we will talk about Sandboxie “add-ons”, little programs that reveal what sandboxed programs does in the sandbox helping to understand what they will do in a real operating system, and logs their actions.
Buster Sandbox Analyzer , is a tool for monitoring the behaviour of the processes from the sandbox, or simply to reveal the changes a program try to do in a system, files or registry. It can capture the network traffic generated by the analysed(sandboxed) application by using the WinPCap and using several checking procedures, the program can decide if a process has a malicious behaviour. Here is the official site of the program : http://bsa.isoftware.nl
Another program that continuously checks all sandboxes for new processes and shows the name of the sandbox and process in a balloon tip, is Sandbox Observer .
- File verification based on previously saved hash
- Exclusion list for sandboxes and processes
- Check sandboxes for missing ‘DropAdminRights’ setting
The latest version is v1.18 – BETA, with a new feature added, to scan sandboxed files with Emsisoft Commandline Scanner 5.0.
For a simple tracking of files and registry changes made in a system by a sandboxed application there is : SandboxDiff v. 2.1 , download the latest version here. It is reported to work correctly under Windows XP,Vista or 7, 32 and 64 bits. User feedback for it here.