AOH :: HP Unsorted E :: C07-2492.HTM

Evading the Norman SandBox Analyzer



Evading the Norman SandBox Analyzer
Evading the Norman SandBox Analyzer



Hi all,

Summary:

The Norman SandBox Analyzer (http://sandbox.norman.no/live.html) runs 
malicious code samples in an emulated environment while logging their 
actions. In practice it is more or less impossible to make an emulated 
environment perfectly similar to the real thing. It is therefore 
possible to write malicious code that does not behave maliciously when 
run in the Sandbox Analyzer. Here I will give one example of such a 
technique.

Full text at:

http://www.ntsecurity.nu/onmymind/2007/2007-02-27.html 

I have notified Norman about the problem but have chosen not to wait for 
them to patch it. The reason being that this is not a regular 
vulnerability, but rather an example of an inherent weakness in emulated 
sandboxes in general. I assume they will patch this particular case 
shortly though since it should be very easy to do.

Regards /Arne

http://ntsecurity.nu 
http://vidstrom.net 

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.