June 12, 2011

Malware Sandbox Services and Software

Whether you are performing digital forensics, or just have an interest in malware, a sandbox environment is an essential part of your analysis program. Sandboxing services can save time and provide a quick and easy glimpse into a suspicious files behavior.  I received an email this morning from Jose' Nazario of Arbor Networks where he provided a link to a list made by Buster (author of Buster Sandbox Analyzer) of various sandboxing tools and services."  I decided to take that list, check out and update each of the links and provide a brief description of the various services. I also added a few other services that I'm aware of.

For this blog post, I'm not providing any opinions or reviews. I'm just listing the service, URL, and a basic description as quoted by the provider.

These are the malware analysis services and software that I am currently aware of from the Buster Sandbox link, or via other sources. If you know of any other good malware analysis services, please feel free to drop me an email and I will add it to the list.

Web Services
"We can accept any type of file including executables, documents, spreadsheets, presentations, compiled help files, database packages, PDF, images, emails, or archives. You can also submit a file from a remote web address."
"View PDF objects as hex/text, PDF dissector and inspector, scan for known exploits"
"Joe Sandbox is a fully automated analysis system for trojans, viruses and rootkits (malware). It requests malicious executables such as PE, PDF (Acrobat Reader) or DOC (Microsoft Word) files as input and returns highly detailed reports describing the behavior of executables being executed"

Note:  Joe Sandbox has an online service with three account types. It is described more fully here: http://www.joesecurity.org/service.php

"Anubis is a service for analyzing malware. Submit your Windows executable and receive an analysis report telling you what it does. Alternatively, submit a suspicious URL and receive a report that shows you all the activities of the Internet Explorer process when visiting this URL"

"Wepawet is a service for detecting and analyzing web-based malware. It currently handles Flash, JavaScript, and PDF files."

"Submit a Suspicious File for a FREE Malware Analysis"

"Due to heavy load, the public site does not support: URL or BHO analysis, zipped files or analysis of infected documents."

"ThreatExpert is an advanced automated threat analysis system designed to analyze and report the behavior of computer viruses, worms, trojans, adware, spyware, and other security-related risks in a fully automated mode."

- Windows executable (exe,dll)
– Adobe PDF (Beta Testing)
– Zip file (with password “panda”)
– RAR compressed file (without password)
– 7zip Compressed file (without password)
– Autovin File Extractor compressed file

    "Eureka is a binary static analysis preparation framework. It implements a novel binary unpacking strategy based on statistical  bigram analysis and coarse-grained execution tracing. Eureka incorporates advanced API deobfuscation capabilities to facilitate the structural analysis of the underlying malware logic. "

    "xandora.net is a tool for analyzing the behavior of Windows PE-executables with special focus on the analysis of malware. Execution of xandora.net results in the generation of a report file that contains enough information to give a human user a very good impression about the purpose and the actions of the analyzed binary.
    The generated report includes detailed data about modifications made to the Windows registry or the file system or other processes and of course it logs all generated network traffic. The analysis is based on running the binary in an emulated environment and watching."

    "Submit your Windows executable(*.exe) and receive an analysis report telling you what it does,
    or submit a suspicious URL and receive a report that shows you all the activities of the Internet Explorer process when visiting this URL."

    A Generic JavaScript Unpacker. Enter a single URL (or paste JavaScript to decode). Upload a PDF, pcap, HTML, or JavaScript file.

    Standalone Malware Sandboxing Software

    "An Open Source dynamic malware analysis system which allows you to get informations on suspicious files in a completely automated fashion.
    Such results include:
        * Relevant Windows API calls tracing of all recursively spawned processes.
        * Network traffic dump generated during malware execution.
        * Files being downloaded and deleted during execution.
        * Screenshots taken during malware the whole analysis process."

    "Software and tips to easily build up an automated malware analysis station based on a concept introduced in the paper Mass Malware Analysis: A Do-It-Yourself Kit."

    "Zero wine is an open source (GPL v2) research project to dynamically analyze the behavior of malware. Zero wine just runs the malware using WINE in a safe virtual sandbox (in an isolated environment) collecting information about the APIs called by the program. "

    "Buster Sandbox Analyzer is a tool that has been designed to analyze the behaviour of processes and the changes made to system and then evaluate if they are malware suspicious.
    The changes made to system can be of several types: file system changes, registry changes and port changes."https://vicheck.ca/

    "This is a free tool for the analysis of malicious PDF documents. Has specialized tools for dealing with obsfuscated javascript, low level pdf headers and objects, and shellcode."

    jsunpack-n emulates browser functionality when visiting a URL. It's purpose is to detect exploits that target browser and browser plug-in vulnerabilities. It accepts many different types of input:
    PDF files - samples/sample-pdf.file
    Packet Captures - samples/sample-http-exploit.pcap
    HTML files
    JavaScript files
    SWF files
    This project contains the source code which runs at the website http://jsunpack.jeek.org/.


    Anonymous said...


    Anonymous said...

    Does anyone know some open source alternatives for sandboxes similar to Anubis, Threatexpert, etcetera, besides ZeroWine, Cucko?

    Nicholas J. Percoco said...

    We do not have a self-service portal that is open to the public, but the SpiderLabs team at Trustwave performs a great deal of targeted malware analysis for organizations around the world. Anyone in need of this service can give us a shout.

    Free Software said...

    Well it is my good luck in real, as I was searching something else on internet and I am here to your blog by chance and I must say it is a good site buddy.

    POS Software said...

    The blog article very surprised to me! Your writing is good. In this I learned a lot! Thanks for a well explained topic to share.

    Anonymous said...

    You know who I am.
    We both need to blog more :)


    miller_itsec said...

    Hi guys, here is another alternative for your list:


    The service is free and focuses on in-depth malware analysis, especially extracting interesting disassembly listings and behavior signatures that can be used to understand malware and find entrypoints for deeper manual analysis. Currently it only supports 32-bit executable Windows files, but we are planning on adding document analysis (PDF/DOC/DOCX/XLS/XLSX) soonishly.
    Here are some interesting samples for a start maybe:


    We also have an API for automatic submission that can be requested from
    us via the contact form.

    Best regards,