Re: Evading the Norman SandBox Analyzer

To: Arne Vidstrom <arne.vidstrom@xxxxxxxxxxxxx>
Subject: Re: Evading the Norman SandBox Analyzer
From: John Smith <genericjohnsmith@xxxxxxxxx>
Date: Fri, 2 Mar 2007 20:49:11 +0000
Cc: bugtraq@xxxxxxxxxxxxxxxxx
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:in-reply-to:references:mime-version:content-type:message-id:cc:content-transfer-encoding:from:subject:date:to:x-mailer; b=eotK823POG68eIsLEjg4xo9j5LZ/sGPGLP1CpCRUKz1SXV/TjaV4Cvd044KumZ38oN5912g3dkGGjHCiboIuqd+rsz9d/40dmigEitrwyyk29jSZRLAPdHaDRrAI19o3mWqBfGPPyN3R372//jkGUtsDIPLwlN1IwjNapcmZ3zk=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:in-reply-to:references:mime-version:content-type:message-id:cc:content-transfer-encoding:from:subject:date:to:x-mailer; b=rQopVq0KutLwgQdNzSoxEub5l/MTvwMWCgG+JDYCIhbR1hgG59H7jQUFwS9sm4/UEJSo1+ZYkAJFnIWYEL4gyQbpasrTw2mJTGT47RfEsJ9GelEVJzoiVVTY33ANjcZX3vRv1epChX/RJVl2ND2cwLJ46RDBqEnJT6uhr54zvAs=
In-reply-to: <45E56955.1090000@xxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <45E56955.1090000@xxxxxxxxxxxxx>

This is the same as the results found > 2 years ago as published byJoanna Rutkowska as RedPill (http://invisiblethings.org/papers/redpill.html) (and before that in a Usenix paper) and thereforeeveryone who is interested in emulated/virtualized security alreadyknows that SIDT is a problem instruction.


John
On Feb 28, 2007, at 11:36 AM, Arne Vidstrom wrote:

Hi all,

Summary:
The Norman SandBox Analyzer (http://sandbox.norman.no/live.html)runs malicious code samples in an emulated environment whilelogging their actions. In practice it is more or less impossible tomake an emulated environment perfectly similar to the real thing.It is therefore possible to write malicious code that does notbehave maliciously when run in the Sandbox Analyzer. Here I willgive one example of such a technique.
Full text at:

http://www.ntsecurity.nu/onmymind/2007/2007-02-27.html
I have notified Norman about the problem but have chosen not towait for them to patch it. The reason being that this is not aregular vulnerability, but rather an example of an inherentweakness in emulated sandboxes in general. I assume they will patchthis particular case shortly though since it should be very easy todo.
Regards /Arne

http://ntsecurity.nu
http://vidstrom.net

Follow-Ups:
- Re: Evading the Norman SandBox Analyzer
  - From: Arne Vidstrom

References:
- Evading the Norman SandBox Analyzer
  - From: Arne Vidstrom

Prev by Date: Re: Evading the Norman SandBox Analyzer
Next by Date: rPSA-2007-0040-3 firefox thunderbird
Previous by thread: Evading the Norman SandBox Analyzer
Next by thread: Re: Evading the Norman SandBox Analyzer
Index(es):
- Date
- Thread