Finally, there is
CWSandbox,
a result of the diploma thesis of Carsten
Willems that is being further improved and is still under development. A free
research version as well as a commercial one can be retrieved from Sunbelt
Software. More information and a live sandbox can be found at
www.cwsandbox.org and www.sunbeltsandbox.com.
In the following sections of this chapter we describe malware analysis
using the CWSandbox tool. First we introduce the general sandbox architec-
ture and its components.Then a sample analysis report for a very simple bot
application is presented and explained. After that, we give a detailed descrip-
tion of how to use the sandbox in real malware analysis as well as giving a lot
of useful and real examples of many different malicious actions that usually
are performed by a bot.That part of the chapter will give you the knowledge
and ability to
read
an analysis report and identify the important malicious
internals of the analyzed bot software. Finally, we present some results we have
achieved on our live sandbox systems by successfully analyzing more than
10,000 malware samples.
Describing CWSandbox
CWSandbox
is an application for the automatic
behavior analysis
of malware.
This dynamic analysis is performed by executing the malicious application in
a controlled environment and catching all its relevant calls to the Windows
API. Because these API calls are used for accessing Windows system resources
such as files, the registry, or the network, all the malware’s actions can be
examined. In a second step, a high-level summarized report is generated from
this monitored data. Since one focus lies in the analysis of bots, a big effort is
spent to extract and evaluate the network traffic data.
To give an intuitive image of the sandbox in advance, let’s look at a short
example. It shows the analysis of a bot application that was collected by a
honeypot. We will use this bot as a basic example in this chapter because it is
a simple one but comprises most of the techniques and actions that are char-
acteristic of most of the bots currently available. It is named
Backdoor.IRCBot.S
by BitDefender,
BackDoor.Generic4.VT
by AVG, and
Backdoor.Win32.IRCBot.yc
by Kaspersky. Because of the nature of its origin,
the name chosen by us is based on its MD5 hash value; therefore, it is
82f78a89bde09a71ef99b3cedb991bcc.exe
.To start analysis in CWSandbox, the
following command is used:
Do'stlaringiz bilan baham: