www.syngress.com/solutions

427_Botnet_09.qxd 1/8/07 4:45 PM Page 344

Using Sandbox
Tools for Botnets
Solutions in this chapter:
■
Describing CWSandbox
■
Examining a Sample Analysis Report
■
Interpreting an Analysis Report
■
Bot-Related Findings of Our Live Sandbox
Chapter 10
345
Summary
Solutions Fast Track
Frequently Asked Questions
427_Botnet_10.qxd 1/9/07 3:06 PM Page 345

Introduction
There are several ways to obtain information about botnets and in particular
the bot applications seen in the previous chapters, especially in Chapters 5
and 7. One approach to analyzing this kind of software and learning more
about its internals and the underlying communication method and infrastruc-
ture is to execute them in a so-called 
sandbox
.
Sandboxes are a common concept in computer security and are used to
execute program code that comes from unverified or untrusted sources. A
sandbox offers a monitored and controlled environment such that the
unknown software cannot do any harm to the real hosting computer system.
This can be achieved by blocking some critical operations but permitting
other operations while monitoring them. Alternatively, you could implement
a complete virtual environment where processor, memory, and the file system
are simulated and the real system is not accessible for the tested application. In
malware analysis, the main aspect of a sandbox normally is not to block
accesses to the system resources but to monitor those accesses. Usually a vir-
tual machine or some other mechanism is used, by which the system can be
brought back into a clean and uninfected initial state after an analysis run, so
the protection of the underlying system is not so important.This form of
analysis is called 
behavior analysis,
in contrast to 
code analysis
, where the pro-
gram instructions are examined with the help of a disassembler or a debugger.
There are several software tools that perform such behavior analysis by
executing a sample in some form of sandbox, which monitors the performed
actions and then creates an analysis report of these actions. One candidate is
the 
Norman SandBox,
which was developed by Norman ASA, a Norwegian
company that has specialized in data security. Norman simulates a whole
computer system and a connected network.The implementation details and a
description of the underlying technology can be found in the company’s
Sandbox Whitepaper.
1.
A live version of the sandbox is online at
http://sandbox.norman.no/live.html, where everyone can submit malware
samples and get an analysis report by e-mail.
Another product is 
TTAnalyze
, developed by Ulrich Bayer of Ikarus
Software GmbH, in cooperation with the Technical University of Vienna
.
TTAnalyze uses the PC emulator 
QEMU
to run a complete Windows oper-
ating system inside of it. In this emulated system, the technique of 
API

Download 6,98 Mb.

Do'stlaringiz bilan baham: