Norman - Tomorrow's Technology Today - Virtual Environment Solutions - The Norman Sandbox Analyzer - A solution for Virtual Environment Forensics

Tomorrow's Technology Today: Examination of potentially dangerous content on a real computer can be dangerous in many ways. If the content is malicious and gets out of control, the system may get contaminated or worse, be under full control of the attacker and e.g. act as a bot inside a botnet. It is much to be preferred to examine this inside a virtual environment which is under full control of the researcher and from which no content can escape.

To facilitate this, Norman has developed Norman Sandbox technology: a complete virtual world which allows the researchers to examine all actions of potentially malicious files which can run on the Windows Operating System by emulating the OS itself. The suspicious file is put on the virtual drive of the Norman Sandbox. The virtual machine is booted, using full ROM BIOS capacities, simulated hard drives, running an emulated Windows Operating System with functions like Kernel, Winsock and MPR. Surrounded by a virtual internet (with full services as SMTP, DNS, DHCP, etc) and intranet, the Norman Sandbox will monitor the behavior of the executable file. All behavior is stored and analyzed. When finished, a detailed readable description and an API log of the file’s behavior are available to the researcher.

Since the initial goal of the Norman Sandbox was to detect malware (viruses, trojans, spyware, etc), the necessary precautions were taken to keep control. As everything is emulated (even the OS), there is no danger involved that the malicious files may get out of the virtual environment to the real world. This can happen and has happened with other general virtual environments.

Initially a tool to use in Norman’s own security application, Norman has further developed the Norman Sandbox into a general forensics tool moving beyond the limited scope of malware. This allows forensic researchers to see the full potential of the content to be examined. This functionality comes in handy when examining content that does not seem malicious or replicate at first sight. Devious applications as in information stealing applications (as banking trojans) or applications that contact rogue systems may be revealed this way.

To operate the Norman SandBox Analyzer (NSA) is quite easy: just install NSA in a preferred folder on the computer you want to use for analysis. Tell the Sandbox Analyzer the path of the file(s) you want to analyze and press enter. Depending on the parameter you have entered the output is available in just a few seconds. The parameters include possibilities to create a full API log, the SandBox summary, and an extract of all files that are created or modified on the SandBox’ “hard drive” by the file analyzed. The NSA can also handle a large number of files, generating the requested information without the need of user intervention. As the virus unfolds, the proactive solution will monitor and assess the behavior of the suspicious file.

On Friday 10 March 2006, child porn was used in a piece of malware named W32/Agent.ULL. The Norman Sandbox Information Center (NSIC, http://sandbox.norman.com) received a file with the special filename childpornf*******movie.mpeg.exe. As most people run Windows Explorer in the default settings, the extension “.exe" would be hidden as a feature of Windows and the file was shown as a movie, of course with a Windows Media File icon.

When executed, the Trojan actually does show a child-porn movie hiding its true activity: downloading and installing a range of other malware such as the fake antispyware programs SpySherrif and BraveSentry, as well as adware like Tibs, an adware downloader for pornographic web sites. While the movie is playing, the human curiosity takes over from logic and people lose attention to other activity.

On 18 March 2006, NSIC received another Trojan again using the same technique to hide the same purpose. Although the movie shown is identical, a different variety of other malware is downloaded and installed.

Given that the sample is 193536 bytes long, full code-analysis of this peace of malware by reverse engineering would take a considerable amount of time and human resources. Having NSA analyze the behavior, it only takes a few moments before the interesting behavior is revealed:

[ General information ]
    * Creating several executable files on hard-drive.
    * File might be compressed.
    * Decompressing Unk3!FSG?.
    * File length:       193536 bytes.

[ Changes to filesystem ]
    * Creates file C:\WINDOWS\TEMP\childporn.wmv.
    * Creates file C:\WINDOWS\SYSTEM32\win32.exe.
    * Creates file C:\WINDOWS\SYSTEM32\msits.exe.
    * Creates file C:\WINDOWS\SYSTEM32\loadadv713.exe.
    * Creates file C:\WINDOWS\uniq.
    * Creates file C:\WINDOWS\kl1.exe.

[ Network services ]
* Opens URL: http://traffsale1.biz/dl/dl.php?adv=adv713.
* Opens URL: http://traffsale1.biz/progs/kl.txt.

[ Security issues ]
* Starting downloaded file - potential security problem.

[ Process/window information ]
    * Attempts to open C:\WINDOWS\TEMP\childporn.wmv NULL.
    * Attempts to open C:\WINDOWS\SYSTEM32\win32.exe NULL.
    * Attempts to open C:\WINDOWS\SYSTEM32\msits.exe NULL.
    * Attempts to open C:\WINDOWS\SYSTEM32\loadadv713.exe NULL.
    * Enumerates running processes.
    * Enumerates running processes several parses....

[ Signature Scanning ]
    * C:\WINDOWS\TEMP\childporn.wmv (142802 bytes) : no signature detection.
    * C:\WINDOWS\SYSTEM32\win32.exe (7723 bytes) : no signature detection.
    * C:\WINDOWS\SYSTEM32\msits.exe (8605 bytes) : no signature detection.
    * C:\WINDOWS\SYSTEM32\loadadv713.exe (5185 bytes) : no signature detection.
    * C:\WINDOWS\uniq (4096 bytes) : no signature detection.
    * C:\WINDOWS\kl1.exe (4096 bytes) : no signature detection.

In this case, if the malicious file was executed on a system in the network, the system administrator can see exactly which files that have been downloaded and in which folders they have been placed.