List of Free Sandboxes for Malware Analysis!

[Nytro]

List of Free Sandboxes for Malware Analysis!

by MAYURESH on NOVEMBER 15, 2011

We had done a similar post - way back in 2009 - titled List of Online Malware Scanners. Cut to the end of 2011, we now bring you a list of free sandboxes for malware analysis. Most of them are free and open source products. However, we also have included a few commercial versions and those that can be installed on your system.

First, as it always has been a tradition at PenTestIT, let us know what actually malware analysis means: Malware analysis simply means study of malicious programs via code analysis, behaviour analysis or a combination of both these techniques. But where does a sandbox fit in? It helps you in automated behaviour analysis. We like to elongate a sandbox as follows - System And Network Detection Box (as in a system). So, now that we know a bit about malware analysis with sandboxes, lets see the list of free sandboxes for malware analysis.

GFI ThreatTrack GFI Sandbox (formerly CWSandbox) is an industry leading dynamic malware analysis tool. It gives you the power to analyze virtually any Windows application or file including infected: Office documents, PDF’s, malicious URL’s and Flash ads. Once you submit your sample below we will email you an executive level PDF and an XML report containing all the behavior information gathered during analysis. – http://www.threattrack.com/

CWSandbox – CWSandbox is an approach to automatically analyze malware which is based on behavior analysis: malware samples are executed for a finite time in a simulated environment, where all system calls are closely monitored. From these observations, CWSandbox is able to automatically generate a detailed report which greatly simplifies the task of a malware analyst. – http://www.mwanalysis.org/

ThreatExpert ThreatExpert is an advanced automated threat analysis system designed to analyze and report the behavior of computer viruses, worms, trojans, adware, spyware, and other security-related risks in a fully automated mode. In only a few minutes ThreatExpert can process a sample and generate a highly detailed threat report with the level of technical detail that matches or exceeds antivirus industry standards such as those normally found in online virus encyclopedias. – http://www.threatexpert.com/

Xandora – xandora.net is a tool for analyzing the behavior of Windows PE-executables with special focus on the analysis of malware. Execution of xandora.net results in the generation of a report file that contains enough information to give a human user a very good impression about the purpose and the actions of the analyzed binary. The generated report includes detailed data about modifications made to the Windows registry or the file system or other processes and of course it logs all generated network traffic. The analysis is based on running the binary in an emulated environment and watching. It is the ideal tool for a person to get a quick understanding of the purpose of an unknown binary. – http://www.xandora.net/xangui/

Anubis: Anubis is a tool for analyzing the behavior of Windows PE-executables with special focus on the analysis of malware. Execution of Anubis results in the generation of a report file that contains enough information to give a human user a very good impression about the purpose and the actions of the analyzed binary. The generated report includes detailed data about modifications made to the Windows registry or the file system, about interactions with the Windows Service Manager or other processes and of course it logs all generated network traffic. The analysis is based on running the binary in an emulated environment and watching i.e. analyzing its execution. The analysis focuses on the security-relevant aspects of a program’s actions, which makes the analysis process easier and because the domain is more fine-grained it allows for more precise results. It is the ideal tool for the malware and virus interested person to get a quick understanding of the purpose of an unknown binary. – http://anubis.iseclab.org/

Comodo Camas – CAMAS stands for Comodo Automated Malware Analysis System. – http://camas.comodo.com/

Norman SandBox – http://www.norman.com/security_center/security_tools/

Malbox Malbox is a service for malware analysis. Submit your Windows executable(*.exe) or compressed(*.zip)(name the file you want to analysis as “main.exe”)files and you will receive an analysis report telling you what it does, or submit a suspicious URL and you will receive a report that shows you all the activities of the Internet Explorer process when visiting this URL. – http://malbox.xjtu.edu.cn/

DELL SecureWorks Truman: Truman can be used to build a “sandnet”, a tool for analyzing malware in an environment that is isolated, yet provides a virtual Internet for the malware to interact with. It runs on native hardware, therefore it is not stymied by malware which can detect VMWare and other VMs. The major stumbling block to not using VMs is the difficulty involved with repeatedly imaging machines for re-use. Truman automates this process, leaving the researcher with only minimal work to do in order to get an initial analysis of a piece of malware. Truman consists of a Linux boot image (originally based on Chas Tomlin’s Windows Image Using Linux) and a collection of scripts. Also provided is pmodump, a Perl-based tool to reconstruct the virtual memory space of a process from a PhysicalMemory dump. With this tool it is possible to circumvent most packers to perform strings analysis on the dumped malware. – http://www.secureworks.com/research/tools/truman/

Cuckoo Sandbox: Cuckoo provides you with a fully automated system able to fetch files, analyze them inside an isolated virtualized Windows system and return back results. We covered the Cuckoo Sandbox here – http://www.pentestit.com/cuckoo-malware-analysis-sandbox/.

Buster Sandbox Analyzer: It is a tool that has been designed to analyze the behaviour of processes and the changes made to system and then evaluate if they are malware suspicious.The changes made to system can be of several types: file system changes, registry changes and port changes. We covered Buster Sandbox Analyzer here – http://www.pentestit.com/buster-sandbox-analyzer-malware-analyzer/

BitBlaze: The BitBlaze project aims to design and develop a powerful binary analysis platform and employ the platform in order to analyze and develop novel common off-the-shelf protection and diagnostic mechanisms and analyze, understand, and develop defenses against malicious code. The BitBlaze project also strives to open new application areas of binary analysis, which provides sound and effective solutions to applications beyond software security and malicious code defense, such as protocol reverse engineering and fingerprint generation. – http://bitblaze.cs.berkeley.edu/

Minibis: http://www.cert.at/downloads/software/minibis_en.html

Zero Wine Malware Analysis Tool: Zero Wine is a malware’s behavior analysis tool. Just upload your suspicious PE file (windows executable) through the web interface and let it analyze the behaviour of the process. - http://sourceforge.net/projects/zerowine/

Zero Wine Tryouts: Zero Wine Tryouts is an open source malware analysis tool.Just upload your suspicious file (e.g. Windows executable file, PDF file) through the web interface and let it analyze. The Zero Wine Tryouts project is a fork of the original Zero Wine project. – http://zerowine-tryout.sourceforge.net/

Norman Malware Analyzer G2*commercial: Malware Analyzer G2 is the next generation of malware analysis from the inventors of SandBox, voted “Most Innovative Idea in the Past 10 Years” by security researchers at the VB2010 Conference. Analyzer G2 Hybrid SandBoxing combines the benefits of the entirely emulated SandBox environment with IntelliVM monitoring with KernelScout to offer intelligence to unmatched by any other product. – http://www.norman.com/products/sandbox_malware_analyzers/en

GFI SandBox*commercial: GFI SandBox (formerly CWSandbox) is an industry leading dynamic malware analysis tool. It gives you the power to analyze virtually any Windows application or file including infected: Office documents, PDFs, malicious URLs, Flash ads and custom applications.Targeted attacks, hacked websites, malicious Office documents, infected email attachments and social engineering are all part of the Internet threat landscape today. Only GFI SandBox™ gives you a complete view of every aspect and element of a threat, from infection vector to payload execution. And GFI SandBox can quickly and intelligently identify malicious behavior using Digital Behavior Traits™ technology. – http://www.gfi.com/malware-analysis-tool/

Joe Sandbox*commercial: Joe Sandbox (formerly JoeBox) is a fully automated analysis system for trojans, viruses and rootkits (malware). It requests malicious executables such as PE, PDF (Acrobat Reader) or DOC (Microsoft Word) files as input and returns highly detailed reports describing the behavior of executables beeing executed. The well structured reports show how the malware installs iself, how it communicates with the internet and how it hides its presence. With the help of advanced behavior signatures Joe Sandbox summarizes interesting actions, making the understanding of the behavior extremly easy. Joe Sandbox is suitable for manual as well as for large scale malware analysis. – http://www.joesecurity.org/index.php

That is all we’ve got as of now. I know this list a largely un-structured list, but I built it from a text file containing only the links to these products. Again, these are arranged according to my wish. Oh yes, if you know of any more, please let us know! That is why we have opened up the comments system now!

Sursa: http://www.pentestit.com/list-sandboxes-malware-analysis/