Online malware sandboxes - a real world blind taste test

I don't think I'd had chance to get my seat warm on Monday when I was approached by our service support function who were getting inundated with details about a 'virus' doing the rounds at via email which, when opened, forwarded itself to everyone in the user's address book. I don't normally get involved with desktop issues but I'm always happy to help and eager to understand risks both technically and from a wider business perspective. It seemed our endpoint anti-virus 'solution' had a 0% first-time detection success rate and by this time it had already managed to sneak past our 3rd party email security gateway. I set about acquiring a copy of the offending payload and decided that it would make a good candidate for a 'blind taste test' to run past a few online sandboxes.

If you're not familiar with the concept, sandboxes are controlled environments within which you can run un-trusted programs and capture details about how they behave. They can be invaluable for security analysts, allowing them to detonate malware and extract details about how the payload behaves, what it changes on the system and what network traffic the payload generates.

I did a quick internet search for 'malware sandbox online' and picked the first three that allowed me to upload a file without having to register or provide any details.

Note: This isn't a detailed comparison or analysis of the technology - this is a real world 'apples-for-apples' comparison of how three online sandboxes handle an identified malicious file.


Malwr.com

I instantly recognised malwr.com from security articles I'd read in the past. It's a hosted instance of the Cuckoo Sandbox and out of the three online sandboxes I tried, it yielded the best results and I'll happily admit that its now my default, go-to-sandbox.

malwr.com - Behavioral analysis
The break down is full and detailed but intelligently organised as to allow analysts to extract key pieces of information quickly. I was particularly interested in what network traffic the payload generated as this was something I could do something about by denying traffic to identified IP addresses or domains. At the very least, if you can report on network behavior you might stand some chance of identifying all the other clients that might be impacted by reviewing firewall and DNS logs. 

Network analysis - domains

DNS traffic for identified domain


In addition to the break down malwr.com provides, it also hooks into services like virustotal which provide some idea of what your exposure is from a client anti-virus point of view.

Results: malwr.com

anubis.iseclab.org

anubis.iseclab.org

The anubis sandbox came very close to the malwr.com output but the results missed some of the domains. All I can think is that the payload wasn't perhaps allowed to run for long enough which is a shame really because the reporting options and level of detail provided within was excellent.

anubis.iseclab.org - reporting

I'll certainly be looking to use the anubis sandbox again and giving it the chance to demonstrate its own merits and strengths.

Results: anubis.iseclab.org

camas.comodo.com

I'll be honest, I only know Comodo as a CA so was a little surprised to find that they offered a malware sandbox. I held no expectations either way and proceeded to upload the same payload that I'd uploaded to the other two sandboxes and then hit then waited to see how it compared...

camas.comodo.com

Comodo results - .zip
The site appeared to look like it was working but soon after uploading the file it returned an error. I haven't had chance to go back and look at the cause but suspect that it couldn't handle the zip format. There is no warning about file types supported on the upload page and I didn't really fancy unpacking executables so I just left it there. I'll probably look at it again in the future and I'm sure it too will demonstrate its own merits and strengths.

Results: camas.comodo.com

Popular posts from this blog

PCI-DSS: Your CDE may be getting bigger

Image
In December, the PCI Security Standards Council released guidance around scoping and network segmentation for card data environment (CDE) assets. In their own words: “Many organizations struggle to understand where PCI DSS controls are required and which systems need to be protected. This document provides guidance to help organizations identify the systems that, at a minimum, need to be included in scope for PCI DSS. Additionally, the document provides guidance on how segmentation can be used to help reduce the number of systems that require PCI DSS controls.” The guidance goes on to visualise a scoping process, considering each category of system in turn: I believe it’s worth highlighting the ‘broadness’ of the “Connected to OR Security Impacting Systems” . These are cases where the: System component is on a different network (or subnet or VLAN), but can connect to or access the CDE (e.g., via internal network connectivity). System component can connect
Read more

Splunk Security Cheat Sheet

Image
Apart from being a source of all too frequent and embarrassing typos, Splunk is a big data platform which allows you to interrogate data and present results is a variety of contexts and visualisations. I've been using it for a little over 12 months, self teaching or Googleing as I go, predominantly to sift through the terabytes of logs from various applications and appliances that get generated in my 9-5 every day.  You can use Splunk to build dashboards which are typically better than the ones that come with the product ( full size )  I've started to pull together all the searches, notes and bits of code into a sort of security cheat sheet which I thought would be a good thing to share as well as providing some real world examples of how you might use Splunk in a security context.  Cheat Sheet I'm actively working back through my notes and adding to this all the time so it might be a good thing to reference via the URL or re-visit from time to time. I'll t
Read more

Tools & Techniques - Cloud Firewalls (DigitalOcean)

Image
My home lab is (probably) typical of most security professionals: a beefy workstation running VMWare workstation, a beefy-ish workstation running ESXi and a bunch of laptops, switches and other devices.  I utilise a couple of VPS providers for hosting and exposing VMs to the cloud. My VPS provider of choice has been DigitalOcean for the last couple of years (going by my billing history) and to date, they've been excellent. They recently introduced and advertised a new service feature called 'Cloud Firewalls' and I had chance to have a play with them today. Essentially, they've incorporated a network level firewall service to their VPS offering which can be used as an alternative or in addition to host-based firewalls like iptables, firewalld, etc.  Initial Impressions - Pros, Cons and Limitations Pros No Cost (free!!) - Cloud Firewalls are available at no additional cost. Availability - Cloud Firewalls are available in ever region DigitalOcean operate.
Read more