427 Botnet fm qxd

course, the most often used port is 6667 (375 times), because this is the IRC
default port. At the second position comes port 8585 (89 times), followed by
7000 (86 times). But also the ports 1863, 6556, 19555, and 11640 have been
seen more than 30 times each.
Figure 10.6
Dispersion of Found Channel-Password Combinations
Keep in mind that this analysis might not be representative of what you
will find. It should only give you an impression of a real, live example of a
running CWSandbox system.
Summary
In general, sandboxes are to protect the local system while executing unknown
or malicious code. Protection is achieved either by blocking critical operations
completely or by performing them in a virtual environment instead of on the
real system. In malware research the focus is not on prohibiting malicious oper-
ations but on monitoring them. In the case of CWSandbox, nearly all actions
are not blocked, since the analyzed malware should behave as normally as pos-
sible.Therefore, to protect the hosting system from a permanent infection, dif-
ferent mechanisms can be used to roll back the modifications that have been
made during the execution. Examples of such mechanisms are the application
of virtualization software such as VMWare or Virtual PC, the use of reverting
tools such as DeepFreeze or Partimage, or the use of hardware restore solutions.
www.syngress.com
Using Sandbox Tools for Botnets • Chapter 10
385
427_Botnet_10.qxd 1/9/07 3:06 PM Page 385

Some sandboxes can be integrated into a bigger process of automatic mal-
ware analysis, as is done with the Norman Sandbox or CWSandbox. Both use a
database to store malware samples and the resulting analysis reports and need no
human interaction for performing the analysis of many malware samples con-
secutively. For that purpose, CWSandbox is embedded into the Automated
Analysis Suite that comes with the CWSandbox software package.The suite
incorporates the honeypot tool Nepenthes to not only perform the analysis but
to collect and analyze malware in an automated way. Using CWSandbox can
reveal the following operations performed by the analyzed malware:
■
Reading, writing, or locating objects of the local file system, .ini files,
or the registry
■
Finding active local antivirus or security software
■
Starting new or terminating active applications
■
Injecting malicious code into running processes 
■
Reading or modifying the virtual memory of running processes
■
Installing, starting, or deactivating Windows Services
■
Enumerating, creating, or removing local users
■
Reading or writing data from or to the Windows Protected Storage
■
Enumerating, creating, removing, and modifying Windows network
shares
■
Loading and unloading dynamic link libraries (DLLs)
■
Querying system information, shutting down or rebooting the
system, accessing mutexes, or creating threads
Moreover, all TCP/IP connections and operations on them are monitored
and included in the analysis report. For an established TCP connection,
CWSandbox tries to detect the used application protocol and reports all the
relevant protocol-dependent data in case of success. Currently, the following
protocols (and slight modifications of them) are recognized:
HTTP, FTP,
SMTP, IRC,
and 
IDENT
. In general, the following information is contained
in the 

of an analysis report that reflects the TCP/IP activity
of the analyzed application:

Download 6,98 Mb.

Do'stlaringiz bilan baham: