BSA 1.70 has been re-released fixing the bug found by Scrapie.

Yes, a big part of BSA´s power is in BSA.DAT. Keeping that file updated is very important.



Excellent idea!

I just included this feature and it will be present on next version.

Works perfect now - thanks for the update!


Cheers,
Scrapie

Buster Sandbox Analyzer adds support for FakeNet

Source: http://practicalmalwareanalysis.com/2012/06/28/buster-sandbox-analyzer-adds-support-for-fakenet/

Good news, Buster Sandbox Analyzer (BSA) has just added support for FakeNet. For those of you not familiar, BSA is a tool that can be used to automatically analyze the behavior of processes and the changes made to system and then evaluate if they are malicious. This fully automates all of the basic dynamic analysis you typically perform. Full details and a download of BSA can be found here. BSA works with Sandboxie. Sandboxie is a program that runs programs in an isolated environment to prevent them from making permanent changes to your system. Sandboxie was designed to allow secure web browsing, but its sandbox aspect makes it useful for malware analysis. For example, you can use it to capture filesystem and registry accesses of the program you are sandboxing. Buster Sandbox Analyzer (BSA) interfaces with Sandboxie to provide automated analysis and reporting.

Once you have Sandboxie and BSA set up on your malware analysis environment you can start playing around with malware, but sometimes the malware might not run enough without a valid network connection or the malware might start with a beacon to google.com to check for connectivity. That is where FakeNet helps BSA, as it redirects all traffic leaving a machine to the localhost (including hard-coded IP traffic and DNS traffic) and implements several protocols to ensure that malicious code continues to execute and can be observed by an analyst.

Generally, you shouldn’t use your real internet connection (Remember good OPSEC from Chapter 14?) while you analyze malware but you still want to get network information anyway, so FakeNet is a simple solution.

To run BSA with FakeNet take the following steps:

Download and decompress FakeNet to a folder.
Edit FakeNet.cfg and change “OutputOptions DumpOutput:No Fileprefix:output” to “OutputOptions DumpOutput:Yes Fileprefix:output”.
Run Sandboxie and BSA
In BSA select the following:
Options->Analysis Mode->Automatic
Options->Automatic Analysis Options->FakeNet Mode
Options->Common Analysis Options->Packet Sniffer->Save Capture to File
Select “Start Analysis”
Browse to the FakeNet installation folder when prompted
Select the time in minutes you want BSA to allow the malware to run
Browse to the folder containing your malware when prompted



This causes BSA to use FakeNet while performing its analysis. You may notice that BSA generates a lot more output using FakeNet than without an Internet connection. With FakeNet, there is an added file “Connections.txt” in its results and this contains the FakeNet output showing all of the connections that occurred during analysis. There will also be a PCAP generated which contains all of the packets from FakeNet.

I performed analysis using BSA on a piece of malware named “WebServer2.exe” and without FakeNet nothing really happened. I didn’t even see registry changes or file changes. Once I enabled FakeNet and reran BSA, the malware ended up doing a lot more since FakeNet gave a response to the beacon. The malware also ended up performing several GET and POST request that weren’t seen without FakeNet enabled in BSA.

Nice one - Good on you !

Thanks for your hard work,
Scrapie

Hi there.

Is it possible to exclude OpenService(CSC) & OpenService(CscService) only without excluding the whole OpenService-API itselfe?

This services are used from Windows Vista onwards and are kind of a cache for filechanges. They get triggered all the time and therefor end up in the malware analyse - but under Windows Vista and Windows 7 it is nothing bad. Sure, these services could be disabled but that could have an effect on the network spreading routine of some samples...


Cheers,
Scrapie

Yes, it´s very simple:

Editor > Exclusion Lists > Edit API Exclude List

Then you add in one line "OpenService(CSC)" and in other line "OpenService(CscService)".

Example of my APIExclude.TXT:

OpenService(AudioSrv)
OpenService(LanmanServer)
OpenService(RASMAN)

That's cool
I thought I can only exclude whole API-calls (OpenService) but this feature seems pretty powerfull.

Hey, I'm playing a fair bit around with the URL-feature at the moment. Sometimes it acts a bit strange. For example if the URL is and I enter it that way in URLs.txt it doesn't work. But if I change it to then it works. Sometimes I have to add or take "www" off, etc.

Would it be possible to build in a routine that tries for a given url the following variations:




Or for a given url it tries




Cheers,
Scrapie

I always try features have flexibility, so users can customize the tool as they want.



Could you give a real URL that I can use to make tests, please?



That depends of the server. Example:

If you visit "http://www.bsa.isoftware.nl/" will fail.

If you visit "http://bsa.isoftware.nl/" will work.



I can fix the problem related to URLs containing or not the "http://" prefix, but adding/removing "www." seems a bit weird.

How comes you don´t know the valid URL is "bsa.isoftware.nl" and not "www.bsa.isoftware.nl"?

Check your email for examples

Hi there

Been playing with the new EMET lately and quite like it. I recon, it would be a good tool to integrate into BSA.
The latest version of EMET comes with an additional new reporting capability. There are Informations, Warnings and Error messages. Error messages are used for logging cases where EMET stopped an application with one of its mitigations, which means an active attack has been blocked. These warnings are written in the Windows Event Log.

For PDF-files, BSA could config EMET before a sample gets started in the sandbox via simple cmd:

The new version supports wildcards so there is no need to spec. the whole path. As soon as EMET sees a PDF-file get's started, it injects it's DLL into the viewer and protects / watches it.
After the analyse is finished, BSA has to check the Windows Event Log for a Warning entry made by EMET, extract the content and integrate it into it's report. A crash (=Warning message) is a good sign for a 0-day exploit. Extracting informations from Windows Event Log is not that hard, only ~40 lines in VBA for example.


What do you guys think?


Cheers,
Scrapie


PS:
Links about EMET
http://www.rationallyparanoid.com/articles/microsoft-emet-3.html
http://blogs.technet.com/b/srd/archive/2012/05/15/introducing-emet-v3.aspx

Could you show an example of Event Log information related to a malware infection?

Released Buster Sandbox Analyzer 1.71.

Changes:

+ Added new malware behaviours
+ Added BSA_USER.DAT feature
+ Improved “Dump Executable Processes” feature
+ Included new malware behaviours at “Risk Evaluation Ratings”
+ Updated BSA.DAT
+ Updated LOG_API
+ Updated Exeinfo
+ Fixed several bugs

Notes about 1.71 release:

Added BSA_USER.DAT feature

BSA_USER.DAT has the same internal structure than BSA.DAT and it´s used to keep your own definitions.

When BSA.DAT gets updated you will not have to merge your definitions again as you can keep them separated.


Improved “Dump Executable Processes” feature

Only the files that does not exist in the real system will be dumped. This way we will avoid dumping iexplore.exe, explorer.exe, etc.

I downloaded BSA v1.71 from the site after it was released today, July 5.
McAfee 8.7P4 finds the "bsa.sys" file infected with Generic BackDoor!1jd Trojan.