Buster Sandbox Analyzer Guide
Posted 26 May 2011 - 08:35 PM
Presentation of the tool reloaded.
I open this thread to comment about Buster Sandbox Analyzer.
Official web site is located at: http://bsa.isoftware.nl/
The tool can be directly downloaded from: http://bsa.isoftware.nl/bsa.rar
This thread prentends to be a complete guide about how to install, configure and use (simple and complex usage) the tool.
In order to keep the guide in a clean state and easy to follow I ask users to don´t post in this thread.
You can post comments, suggestions, doubts, whatever in this thread: http://reboot.pro/14...ge__pid__129570
This guide will take me some time (I´ld say that at least two or three months) to write it, this is because the amount of features available in BSA (the short name for Buster Sandbox Analyzer) makes long the time required to explain it. I will do my best to post as often as possible but my free time is limited so you must be comprehensive if it takes time to be complete.
So, let´s start answering some questions.
What´s Buster Sandbox Analyzer?
Basically Buster Sandbox Analyzer is a malware behaviour analyzer. BSA analyzes the actions performed when you run a program, open a document, or whatever, and looks for suspicious actions.
What´s a suspicious action?
A suspicious action is something that malwares usually do, like writing to certain registry keys, drop files to certain folders, connect to internet, modify certain files, etc.
That actions can also be performed by harmless programs, so it´s the user who must decide if the actions are suspicious or not. This decission must be based on next question: should this program do these actions?
As it happens with many things in this life, experience is a grade. The more files you analyze, the more experience and accuracy you will gain.
You must keep on mind next facts related to the behaviour malware analysis:
* The very same suspicious actions can be done by a harmless and a harmful program.
* The actions, like writing a file to Windows folder, are not good or bad, so there are not good and bad actions, only suspicious actions.
Running files in our system for analysis: is it safe?
Buster Sandbox Analyzer uses Sandboxie to run files. Sandboxie is a pretty safe tool to run suspicious files. Anyway there is no 100% bulletproof security application, that´s why I recommend creating backups of the system where you analyze files.
What´s the best environment to analyze files?
BSA can be used on any Windows version where Sandboxie works.
If you are interested in configuring a system specially for malware analysis then I recommend you use BSA under Windows XP with SP3. It must be 32-bit because Sandboxie does not support Windows XP 64-bit.
What is required to run Buster Sandbox Analyzer?
BSA uses Sandboxie to run files, so Sandboxie must be installed in your system.
It does not matter if you do not have the registered version of Sandboxie, BSA will run fine anyway.
You can download Sandboxie from: http://www.sandboxie...wnloadSandboxie
BSA also uses WinPCap. This program is a windows packet capture utility and it is used by BSA to capture network traffic for analysis purposes.
WinPCap is available at: http://www.winpcap.o...nPcap_4_1_2.exe
BSA can run if WinPCap is not installed, but BSA will miss important information for the analysis so I recommend you install it. Read the README.TXT from BSA package if you do not install WinPcap.
And that´s all. All you need to run BSA is Sandboxie and WinPCap, being this last one optional.
Posted 26 May 2011 - 08:59 PM
Sandboxie´s installation is pretty straight forward: you just select your prefered language and accept installation folder by default. After a few "Next" clicks the installation finishes. Simple, isn´t it?
After installation some compatibility settings configuration may appear. Accept them clicking "OK" button.
In Sandboxie Control click in "Sandbox > DefaultBox > Sandbox Settings".
Enable "Apply changes when switching to another page".
In "Recovery > Quick Recovery" remove all folders.
In "Recovery > Inmediate Recovery" disable "Enable Inmediate Recovery".
In "File Migration" set the size at "102400" (100 MB) and enable "Don´t issue a message when a file is too large to migrate".
That´s all. Sandboxie is ready to be used.
I suggest that before using BSA you play a bit with Sandboxie so you get familiarized with the usage. Try to sandbox applications like calc, notepad, your browser, Windows Explorer, ...
Learn how to go to sandbox folder and delete contents.
Installing and configuring WinPCap
WinPCap is even easier to install and configure than Sandboxie. Just click next and install. You can disable "Automatically start the WinPCap driver at boot time" if you want. It does not matter if you have WinPCap´s driver enabled or disabled at boot time, BSA will work fine in both cases.
Posted 30 May 2011 - 04:38 PM
BSA is a portable tool. That means there is no installer. You simply must unpack BSA package inside the folder you prefer.
Let´s use C:\BSA as example for the installation.
You create a folder named "BSA" in C drive and you extract BSA.RAR contents there, taking care that you recreate folders. You will end with a structure like this:
Now you must edit Sandboxie´s configuration. For this open Sandboxie Control, click on "Configure" and then "Edit configuration":
Sandboxie can have configured several sandboxes. Each sandbox has its own configuration. In this case we will be using default´s sandbox configuration, named "DefaultBox". We must add two lines to the configuration of this sandbox. The lines are:
After adding the lines, the configuration should look like something like this:
If you decide to run BSA in several sandboxes, you must add that two lines to each them.
Later in the guide I will explain what´s the purpose of these lines.
Every time you modify a sandbox configuration you must click at "Sandboxie Control > Configure > Reload Configuration":
And that´s all! Buster Sandbox Analyzer is installed already.
1.- If you install BSA in other folder, then you must modify the line "InjectDLL=C:\BSA\LOG_API.DLL" and change the path to BSA´s path.
2.- The user has a choice of where to locate BSA's working directory and the user should be aware of the restrictions Vista and 7 impose on \Program Files. If BSA is to be run from \Program Files, then it must be given admin privileges or set the required access rights. In other situations BSA may require admin privileges too.
3.- If you want to inject multiple DLLs in Sandboxie it's recommended LOG_API.DLL is the last of the list.
Posted 30 May 2011 - 05:56 PM
As I mentioned already, the 100% bulletproof security application does not exist.
Sandboxie has a pretty secure and robust sandbox technology but in the past it has been bypassed so it may be bypassed again.
I suggest you make backups of system and important information as often as possible.
CloneZilla is a free and complete backup solution.
Other important question to consider is that Sandboxie was designed to avoid sandboxed programs write outside the sandbox, but, by default, they can read files. In the other hand, by default, Sandboxie does not restrict internet connection to sandboxed applications.
What does it mean?
It means that, with a default Sandboxie installation, a sandboxed application can read any file from your system and send the information to other computer connected to internet.
You can prevent this situation in different manners.
1. You can disallow internet connection completely, to all sandboxed programs.
Sandboxie Control > Sandbox > DefaultBox > Sandbox Settings > Restrictions > Internet Access > Block All Programs
The problem is you will loose analyzing capabilities.
2. You can restrict internet connection to certain applications only.
Same menu, but adding programs with "Add Program".
As previous method, you will loose analyzing capabilities if you don´t allow sandboxed applications to connect to internet.
3. You can deny access to certain folders to sandboxed applications.
Read here: http://www.sandboxie...?ClosedFilePath
This solution is fine as you will not loose analyzing capabilities.
If you are going to do intensive malware analysis then probably the more convenient method would be configuring a machine exclusively to run Buster Sandbox Analyzer, where no important information is stored.
Last question you should consider is that certain malwares may detect that Sandboxie or Buster Sandbox Analyzer are running and have a different behaviour, not showing malicious actions.
You must realize that Buster Sandbox Analyzer is a tool that can help you to identify unknown malwares, but it´s not 100% effective.
You must realize also that as soon as you run a file out of Sandboxie, you will be unprotected if you are not using other security software, and even then, you may be in risk.
Posted 05 July 2011 - 01:12 PM
I explained that we must add two lines at Sandboxie´s configuration:
Well, LOG_API.DLL is a library that will be injected to every program being loaded by Sandboxie. This library will help Buster Sandbox Analyzer to identify suspicious behaviours; also it will be used to hide Sandboxie from sandboxed applications.
Inside BSA package there are 4 versions of the library:
First two are designed to be used under 32-bit systems. The DLLs containing "64" must be used on 64-bit systems.
The DLLs containing "VERBOSE" will show file operations (copy, move, delete, ...) and registry operations (open key, create key, ...). Other DLLs will not show such operations.
Even if you do not use the verbose version of LOG_API, file and registry operations will be reflected on reports and analysis, so do not worry about that if you use the non-verbose version of LOG_API.
The non-verbose version of the DLL exists because not showing file/registry operations, BSA will run faster.
Posted 05 July 2011 - 02:52 PM
When you launch Buster Sandbox Analyzer for first time, if you did not install WinPCap an error message will be displayed and BSA will not run.
You have two options:
1) Install WinPCap as described in a previous post.
This is the recommended option.
2) You can follow the instructions described in the file README.TXT included in BSA package.
Also a message telling "Sandboxie could not be found." may appear. If this message appears it may be due one of the following reasons:
1) Sandboxie is not installed.
Solution: Install Sandboxie. Remember that Sandboxie´s installation is mandatory.
2) Buster Sandbox Analyzer needs admin rights to run.
Solution: Run BSA.EXE with admin rights.
If any other problem arises you should contact me to try to find out what the problem is.
Posted 05 July 2011 - 03:11 PM
In this post I will comment briefly what contains each menu and other options. In other posts I will comment more in depth what is the use of each option and feature.
When you launch Buster Sandbox Analyzer you see a GUI like this:
All the configuration options are under the "Options" menu.
Under "Editor" you will find options to configure different features.
Under "Viewer" you will have access to the different reports generated by BSA.
Under "Utilities" you will find different features related to the malware analysis.
Under "Updates" you will find a feature that checks if a newer version of BSA is available.
Under "Help" you will find BSA´s help, ways to contact me and BSA credits.
At the bottom of the GUI there is a status bar that will display messages related to what is doing BSA in each moment. When you launch BSA you will se it displays "Ready!". That means it´s ready to be used.
There is one edit field ("Sandbox folder to check"), one combobox ("Last used sandbox folders") and three buttons ("Start Analysis", "Finish Analysis", "Malware Analyzer").
Posted 05 July 2011 - 04:04 PM
First you must understand that Buster Sandbox Analyzer has two analysis modes: manual and automatic.
In the manual mode, you start/stop Sandboxie when you want. You decide what programs must run sandboxed and when to terminate sandboxed processes.
In the automatic mode, you configure the amount of time that Buster Sandbox Analyzer will let sandboxed programs to run. After that time, BSA will terminate processes.
Knowing this you will understand why there are like two Buster Sandbox Analyzer configurations: one for the manual mode and other for the automatic.
Now I will explain each option one by one...
Options > Restart
This option will be enabled as soon as an analysis starts and tt is used to stop the analysis.
This option is available both in manual and automatic mode.
Options > Analysis Mode
Buster Sandbox Analyzer can be configured to run in "Automatic" or "Manual" mode.
Later I will explain what are the differences between running an analysis in automatic or manual mode.
Options > Automatic Analysis Options
Under this menu you will find the options related to the configuration of BSA in automatic mode.
Options > Automatic Analysis Options > Automate Setups
Many malwares are included inside an installation package. The installation requires the user click on buttons and checkboxes like "Next", "I accept", "Install", "Finish", ...
In order to analyze properly a malware included inside an installation package, it is required that the installation is done correctly.
When enabled, this option will automatize a big number of installation setups.
Options > Automatic Analysis Options > Do Not Process Unknown File Types
Buster Sandbox Analyzer will recognize most file types: EXE, DLL, VBS, BAT, DOC, PDF, ...
Usually, Windows has associated these extensions to applications, so when you run a file, the associated application will launch the file.
If you want that BSA launches, let´s say, a PDF with Adobe Acrobat Reader, you must do the association.
When enabled, this option will make that unknown file types will not be processed with Buster Sandbox Analyzer.
Options > Automatic Analysis Options > Keep Sandbox File
When enabled, this option will make that Buster Sandbox Analyzers keeps a copy of the sandbox folder.
This is useful to keep a copy of every modified or created (dropped or downloaded from internet) file of the analyzed application.
Options > Automatic Analysis Options > Manage Processed File
When enabled, this option will copy or move (depending of the configuration) the processed file to the report folder.
Options > Automatic Analysis Options > Process Selected Folder Recursively
When enabled, this option will make Buster Sandbox Analyzer to process every file on the given folder and subfolders.
Options > Automatic Analysis Options > Resume Process When Available
As I commented previously, an analysis can be stopped clicking on "Options > Restart". In the automatic mode analysis mode, a bunch of files can be processed. When the automatic analysis is stopped, Buster Sandbox Analyzer keeps a list of the files that were not processed.
When enabled, this option checks if there are pending files to be processed, and if that is the case, continues processing the pending files.
Options > Automatic Analysis Options > Run Custom Command On Finish
When enabled, this option will make Buster Sandbox Analyzer to execute a BATCH file that allows the user to execute "post-analysis" processes.
In the BATCH file you can run the programs you want.
The name of the BATCH file must be "PROCESS.BAT" and must be located on the same folder BSA.EXE is located.
Options > Automatic Analysis Options > Take Screenshots
When enabled, this option will make Buster Sandbox Analyzer to take screenshots of the sandboxed applications.
One screenshot per sandboxed application will be done.
Options > Common Analysis Options
Under this menu you will find the options that are common to both automatic and manual analysis modes.
Options > Common Analysis Options > Adjust Time Limit In
Manual analysis mode can run with or without time limite. In the automatic analysis mode the time limit is mandatory. For both automatic and manual modes, the time limit can be adjusted in minutes or seconds.
Options > Common Analysis Options > Exclusion Lists
I will comment the meaning of the exclusion lists later. Right now you just need to know that exclusion lists (API, File and Registry) can be enabled or disable in this menu.
Options > Common Analysis Options > Packet Sniffer
With the help of WinPCap, Buster Sandbox Analyzer is able to capture network traffic. Under this menu you will find the options to configure the packet sniffer module.
Options > Common Analysis Options > Packet Sniffer > Do Not Capture Packets
When enabled, this option will make Buster Sandbox Analyzer to do not capture network traffic.
Options > Common Analysis Options > Packet Sniffer > Do Not Filter Local Packets
When enabled this options will make Buster Sandbox Analyzer to do not discard packets which have the origin and destination on the same PC.
Options > Common Analysis Options > Packet Sniffer > Do Not Show UDP Packets
It is possible to know what application generated TCP packets, but this is not possible with UDP packets.
Buster Sandbox Analyzer filters network packets and only processes those TCP packets that were generated by sandboxed applications. As it is not possible to know who generated an UDP packet, it is possible that an UDP packet coming from an unsandboxed application is processed.
You can mitigate this problem if you do not run unsandboxed applications while analyzing malware.
If you can not avoid running unsandboxed applications, then you must realize that UDP packets coming from unsandboxed applications may be included on the analysis. Other option is not processing UDP packets and this is what this option is for.
When enabled, UDP packets will not be processed.
Options > Common Analysis Options > Packet Sniffer > Save Capture To File
It is possible to save captured network traffic to disk. Buster Sandbox Analyzer captures traffic in a PCap compatible file format. This file can be used to do forensic analysis.
When enabled, this option will make Buster Sandbox Analyzer to capture network traffic.
Options > Common Analysis Options > Packet Sniffer > Select Adapter
This option is used to select the network adapter from where network traffic will be captured.
Options > Common Analysis Options > Packet Sniffer > Show Full Path
Buster Sandbox Analyzer includes in the generated reports the file name of the application which generated a network connection.
When enabled, this option makes Buster Sandbox Analyzer to include the full path to the application which generated the network connection.
Options > Common Analysis Options > Reports
Under this menu you will find the options to configure reports: what information must be included and what not.
The information can be related to the main file or to dropped files.
Main file is the file (application, document, whatever) that was launched first.
Dropped files are all the files that were created (dropped, downloaded from internet, modified, ...) on the sandbox folder.
The reports can be configured individually. You can include a certain information from main file and not include the same information about dropped files, you can include the information for dropped files but not about the main file, or you can include or not include none of them.
Options > Common Analysis Options > Reports > Digital Signature
If you want to know more about digital signature I suggest you google for "Sigcheck" by Mark Russinovich. Buster Sandbox Analyzer uses his tool to check the digital signature.
When enabled, this option will make Buster Sandbox Analyzer to include the digital signature verification information.
Options > Common Analysis Options > Reports > Do Not Resolve URLs
When enabled, this option will make Buster Sandbox Analyzer to do not resolve IPs.
Options > Common Analysis Options > Reports > File Entropy
If you want to know more about the relation between file entropy and malwares you should read this paper:
Buster Sandbox Analyzer uses Shannon´s entropy algorithm.
When enabled, this option will make Buster Sandbox Analyzer to include file entropy information.
Options > Common Analysis Options > Reports > File Length
When enabled, this option will make Buster Sandbox Analyzer to include file length information.
Options > Common Analysis Options > Reports > File Signature
A file signature consists in the compiler and/or the packer used to encrypt/compress a file.
Buster Sandbox Analyzer includes two tools to extract file signatures: PEiD and Exeinfo. You can use both if you want, just one of them or none.
PEiD gives you the chance to include your own file signatures.
When enabled, this option makes Buster Sandbox Analyzer to include file signature (PEiD and/or Exeinfo) information.
Options > Common Analysis Options > Reports > File Type
As I commented previously, Buster Sandbox Analyzer identifies most file formats: EXE, DLL, VBS, PDF, DOC, XLS, ...
When enabled, this option makes Buster Sandbox Analyzer to include file type information.
Options > Common Analysis Options > Reports > Hash
If you want to know more about hashes I suggest you review the wikipedia:
When enabled, this option makes Buster Sandbox Analyzer to include the MD5, SHA-1 and SHA-256 hashes information.
Options > Common Analysis Options > Reports > ssdeep
If you want to know more about ssdeep I suggest you visit the official site:
When enabled, this options makes Buster Sandbox Analyzer to include ssdeep information.
Options > Common Analysis Options > Reports > Virus Total
Virus Total is a free service where you send a file and it is scanned with over 40 antivirus engines. Additionally it offers a service where you send a hash and you obtain information about the file. Buster Sandbox Analyzer uses this service to check if the file is identified by the antivirus used by Virus Total.
When enabled, this option makes Buster Sandbox Analyzer to retrieve file information from Virus Total.
Options > Manual Analysis Options
This menu contains the options related to the configuration of the manual mode analysis.
Options > Manual Analysis Options > Ignore If Sandbox Folder Is Not Empty
In automatic analysis mode, if the sandbox folder contains files, they will be deleted.
In manual mode, Buster Sandbox Analyzer checks if the sandbox folder to process contains files. If there are files, it asks what you want to do with them: keep or delete.
When enabled, this option makes Buster Sandbox Analyzer to do not ask what to do with the files on sandbox folder. Directly the files will be kept.
Options > Manual Analysis Options > Set A Time Limit For Analysis
The manual analysis mode can be configured to run a specified amount of time.
When enabled, this option makes Buster Sandbox Analyzer to set a time limit.
Options > Program Options
In this menu you can configure options not directly related to malware analysis.
Options > Program Options > Check For Updates On Start
When enabled, this option will make Buster Sandbox Analyzer to check if there is available a new version.
Options > Program Options > Remember Windows Position
By default, when launched, Buster Sandbox Analyzer will be at the center of the window. If you dislike this behaviour, you can configure BSA to remember the position on screen when you closed the tool.
When enabled, this option will make Buster Sandbox Analyzer to locate the GUI window on the position it was when the program was closed.
Options > Program Options > Save Settings on Exit
When enabled, this option will make Buster Sandbox Analyzer to save settings on close.
Options > Program Options > Windows Shell Integration
When enabled, this option will make Buster Sandbox Analyzer to include a menu at Windows Explorer.
The first option you should configure/enable is "Options > Program Options > Save Settings on Exit". That way you will not lose your configuration when you close BSA.
Posted 05 July 2011 - 04:45 PM
Q: Is there "the best configuration"?
A: Each user has his/her own needs, so "the best configuration" does not exist.
You may want to take screenshots or not. You may want to keep dropped files or not. You may want to keep the captured traffic or not. You may want to include file length on report or not. And so on...
Resuming: you must decide what you want to include in the analysis.
Q: What are the differences between the automatic and the manual mode?
In the automatic mode you are limited by time. The analysis will last until the given analysis time is reached.
In the automatic mode only one screenshot per sandboxed application will be taken. In manual mode you can take as many screenshots as you want.
In the automatic mode only a certain number of applications will run: the file you sandbox, the application required to launch the file if required, and maybe some of the dropped files. In manual mode you can run whatever you want. You can run additional analysis tools in order to improve the analysis i.e.
Resuming: in manual mode you have a total control over the stuff being run.
Posted 05 July 2011 - 05:26 PM
The automatic analysis mode have two sub-modes:
* Automatic mode from GUI
* Automatic mode from command-line
When you run the analysis from GUI, when it finishes, Buster Sandbox Analyzer stays on GUI mode.
When you run the analysis from command-line, when analysis finishes Buster Sandbox Analyzer returns to console. This analysis mode may be useful because it means BSA can run on-demand and/or it may be included on batch processes.
Command-line has next options:
"-m" or "-s" to define the analysis time, being "m" minutes and "s" seconds. The min amount for minutes is 1 and the max 60. For seconds the min is 1 and the max 3600. Example:
-m 5 (5 minutes)
-s 45 (45 seconds)
"-f" to define the folder to process. Example:
c:\bsa\bsa.exe -s 45 -f c:\test
BSA will analyze the files at c:\test folder giving 45 seconds of analysis to each file.
There is a configuration file named BSA.DAT. It is located on same folder BSA.EXE is located.
BSA.DAT is used to configure certain malware analysis capabilities. The file is divided on sections. You can edit (add/modify/delete) the contents of this file directly from BSA through "Editor > Edit BSA.DAT" or from any text editor.
BSA.DAT is divided on next sections:
In this section the user defines what file types (EXE, PDF, DLL, ...) that are
copied into Windows folder (root and/or subfolders) must raise an alert.
In this section the user defines what file types which are created or modified must be watched.
It is very typical of malwares to copy/create/modify files in Windows folder. That is why it is important to watch the changes in this folder.
In this section the user defines what file types must be watched when copied to AutoStart locations. AutoStart location = startup folder i.e.
It is typical of malwares to get their components included in autostart locations so they run when Windows loads.
In this section the user defines what autostart files must be watched when added to disk or modified.
Autostart files are, i.e.: win.ini, system.ini, autoexec.bat, ...
This is other method used by malwares to get running when Windows loads, so we must watch changes in these files.
In this section the user defines what registry autostart locations to watch.
It is very typical of malwares to add theirself into a registry autostart location so they get loaded when Windows starts.
In this section the user defines his/her own registry entries to watch.
The format of the entry must be: registry_name<->explanation
This section allows the user to define those registry entries considered as used for malicious purposes.
In this section the user defines those folders that must rise an alert when a there is a file operation on them.
This function allows the user to define those folders with suspicious activity like "Program files" or "Documents and settings".
[AutoStart_Registry_Created_or_Modified] and [Custom_Registry_Entries] allow the use of wildcards. You can use them to match several registry keys at the same time instead adding one entry for each one.
To know more about this and other questions related to BSA.DAT, please, read here: http://bsa.isoftware.nl/frame5.htm
Posted 19 July 2011 - 02:56 PM
You should have reached this message knowing how to configure BSA and knowing how to work with Sandboxie. If you do not know something of that then you should not continue reading.
Before start using BSA for first time we are going to learn what the sandbox folder is.
The sandbox folder is the folder where Sandboxie saves the files and registry changes. This is a folder you have defined in Sandboxie´s configuration.
A sandbox folder path will contain the name of the sandbox. When you sandbox something in the "DefaultBox", the changes will be stored at C:\xxx\xxx\DefaultBox.
In BSA you must define the path of the sandbox folder you are using. If you are not sure what is the path you can follow these steps:
* Sandbox NOTEPAD, CALC or any other application.
* Right click Sandboxie Control icon on system tray and select the sandbox you are using and then "Explore Contents".
* A Windows Explorer window will be opened. Copy the path from the bar.
This is the sandbox folder path you must paste at BSA´s "Sandbox folder to check" editbox.
This path was the final thing you had to configure at BSA to start working with it.
We are ready to use BSA!
- me4833 likes this
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users