Following up with last week’s desktop sandboxing challenge Darren’s taking a look at another kind of sandbox — one for malware analysis. Shannon thinks your VNC and SSH servers are pretty spiffy, but how about controlling your computer over twitter? Free text messaging to your PC anyone?
Malware Analysis Sandbox
CWSandbox is an automated malware analysis sandbox. It works by running suspected malware samples in a simulated Windows OS. So as opposed to trying to break into the malware code to see what it does, we simply run it in a live environment. That way we can monitor all the network traffic that the malware generates. All of the processes that are created, the DLLs that are loaded, any changes to the Windows registry and even what itâ€™s doing to the file system.
This is achieved by using a technique called API hooking. That basically means that when the malware calls the Windows application programmersâ€™ interface to say something like “connect to this IP address” or “modify this file” itâ€™s actually going to CWSandboxâ€™s monitoring software, which logs the action and goes ahead and makes the change.
Itâ€™s kind of like an operating system man-in-the-middle. For malware.
So once a suspected malware sample is run through the tool you get a computer generated report of what the executable is actually doing. And this can be fed into anti-virus and intrusion detection systems to monitor for similar behavior.
PC Remote Control over Twitter
While there is no denying the power of running your own SSH, VNC server at home for remote access, wouldnâ€™t it be nice if you could simply text message your computer something simple like “Hey, whatâ€™s your external IP address” or “Send me a screenshot” or “Go download this file”
And if Robin Wood has taught us anything with KreiosC2 â€“ commanding your computer, or even a large botnet for that matter, over social networks is quite possible.
But now itâ€™s time for something a lot more user friendly. This week Snubs investigates TweetMyPC