427 Botnet fm qxd

c:\cwsandbox.exe TARGET_FILENAME=82f78a89bde09a71ef99b3cedb991bcc.exe
The sandbox then starts the malware and monitors its actions by
inspecting the API calls it performs. Figure 10.1 shows an example output of
this execution.The upper main console window prints out information about
the malware process and about all new processes that were started or injected.
The lower event log window gives information about each monitored API
function that was called by one of them. After a customizable time, all partici-
pating malware processes are terminated or stopped. Finally, a summarized and
high-level XML analysis report is created from the collected data.The analysis
report contains a separate section for each process that was involved and for
each of them several subsections that contain actions of a particular type. For
example, there is one subsection for accesses to the file system, one for
accesses to the registry, and another for the performed network operations.
Figure 10.2 shows an extract of such an XML report.
Figure 10.1 
Running CWSandbox
www.syngress.com
Using Sandbox Tools for Botnets • Chapter 10
349
427_Botnet_10.qxd 1/9/07 3:06 PM Page 349

Figure 10.2
Analysis Report
CWSandbox is not only used to create analysis reports for single malware
samples; but also integrated into a bigger system, the 
Automated Analysis Suite
(AAS)
.This suite consists of several software components and is used to col-
lect and analyze malware automatically.You can see a schematic overview of
the AAS in Figure 10.3. All its components are arranged around a central
database, which holds the malware sample files and the resulting analysis
reports.This database is filled by manual malware submission via a Web inter-
face or by automatic collection via Nepenthes sensor hosts
.
Of course, the
malware submission interface can also be used by other collecting mecha-
nisms, but currently this is done only via Nepenthes. On the other side there
are one or more CWSandbox hosts
,
where the actual analysis is performed.
On such a host an instance of CWSandbox is running, periodically querying
the database for new samples. If a new one is found, it is downloaded and an
analysis is started on it. Afterward the resulting report is written back to the
database and the system is brought back into a clean state.Therefore, on our
live systems most of the CWSandbox hosts are realized as virtual machines
that run under VMWare, but this is only for convenience reasons. All you
need is a mechanism to reset the CWSandbox host back to a clean initial
state after a performed analysis. Accordingly, this also can be done using appli-
cations like DeepFreeze, a hardware restore solution, or using a dual-boot or

Download 6,98 Mb.

Do'stlaringiz bilan baham: