Tuesday, 15 February 2011

Online Sandboxes:Better Security

Online sandboxes are very useful services that any person should consider from time to time to have an idea about any unknown file or website. Now it is possible without installing any system to check what this file do on your operating system and what change it brings.
These services will execute malware in a monitored environment so that you don’t risk your own system while performing behavior analysis. It will verify all changes in the file system, registry keys, and all network traffic during the execution. Next it will provide users a report with different information regarding the malicious file.

Threat expert  is a public sandbox that will execute the malicious file in a virtual environment and provides users the change made in file system, registry keys, and all network traffic, it will take a snapshot before the execution and compare it to another one after malware execution. Briefly ThreatExpert report the following:
  • File ,processes, registry keys created by executing the malware
  • IP addresses that are contacted by executing the malware
  • Possible country originated for this malware
  • Screenshots if there are pop-ups or new window in browser opened.
  • Provides information about the category of this malware.
  •  
 ebox is another public sandbox that allows implementing large distributed systems and infrastructures to collect, analyse, evaluate and fight malware. You can choose to execute your malware on Windows XP, Windows Vista or Windows 7.you can write scripts in AutoIT that will automatically perform your tasks there are already some examples available on the website.
What we can add to all previous malware analyzing tools is WinMHR by Team Cymru (pronounced kum-ree).MHR is a free online service that will give you a result by comparing the suspicious file to search for malware based on MD5 or SHA1 hashes. You can install it on your computer or use the Firefox plugin that will help in checking any downloaded file before the execution. MHR helps identify known problems so you can take action at an early stage.


CWSandbox is another public sandbox but it works by DLL code injection, the injected DLL will hook Windows API functions to record malware behavior during the analyses. This provides good results but if a malware bypass the hook and directly call kernel code this can make the malware not monitored. But if we will look at most malwares we will have no issue in using CWSandbox.
The online free interface in CWSandbox allows submitting Windows PE files while if you are looking for more flexibility to submit files, URLs, BHOs, zipped files you need to use the commercial version. The commercial version lets you submit files via e-mail, nepenthes honeypots, or server folder.

1 comment:

  1. mast site ho gayi hain.. \m/
    keep wrking guys... malkin ko arram hain ab :P :D

    ReplyDelete