Evading the Norman SandBox Analyzer

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Evading the Norman SandBox Analyzer
From: Arne Vidstrom <arne.vidstrom@xxxxxxxxxxxxx>
Date: Wed, 28 Feb 2007 12:36:53 +0100
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Thunderbird 1.5.0.9 (Windows/20061207)

Hi all,

Summary:

The Norman SandBox Analyzer (http://sandbox.norman.no/live.html) runsmalicious code samples in an emulated environment while logging theiractions. In practice it is more or less impossible to make an emulatedenvironment perfectly similar to the real thing. It is thereforepossible to write malicious code that does not behave maliciously whenrun in the Sandbox Analyzer. Here I will give one example of such atechnique.


Full text at:

http://www.ntsecurity.nu/onmymind/2007/2007-02-27.html

I have notified Norman about the problem but have chosen not to wait forthem to patch it. The reason being that this is not a regularvulnerability, but rather an example of an inherent weakness in emulatedsandboxes in general. I assume they will patch this particular caseshortly though since it should be very easy to do.


Regards /Arne

http://ntsecurity.nu
http://vidstrom.net

Follow-Ups:
- Re: Evading the Norman SandBox Analyzer
  - From: John Smith

Prev by Date: Re: Xbox 360 Hypervisor Privilege Escalation Vulnerability
Next by Date: [USN-428-1] Firefox vulnerabilities
Previous by thread: Cisco Security Advisory: Cisco Catalyst 6000, 6500 and Cisco 7600 Series MPLS Packet Vulnerability
Next by thread: Re: Evading the Norman SandBox Analyzer
Index(es):
- Date
- Thread