1. Introduction


Buster Sandbox Analyzer is a tool that has been designed to analyze the behaviour of processes and the changes made to system and then evaluate if they are malware suspicious.


The changes made to system can be of several types: file system changes, registry changes and port changes.


A file system change happens when a file is created, deleted or modified. Depending of what type of file has been created (executable, library, javascript, batch, etc) and where was created (what folder) we will be able to get valuable information.


Registry changes are those changes made to Windows registry. In this case we will be able to get valuable information from the modified value keys and the new created or deleted registry keys.


Port changes are produced when a connection is done outside, to other computers, or a port is opened locally and this port starts listening for incoming connections.


From all these changes we will obtain the necessary information to evaluate the "risk" of some of the actions taken by sandboxed applications.


Watching all these operations in an easy and safe manner is possible thanks to Sandboxie (http://sandboxie.com), an excellent tool created by Ronen Tzur.


Even if Buster Sandbox Analyzer´s main goal is to evaluate if sandboxed processes have a malware behaviour, the tool can be used also to simply obtain a list of changes made to system, so if you install a software you will know exactly what installs and where.


Additionally apart of system changes we can consider other actions as malware suspicious: keyboard logging, end the Windows session, load a driver, start a service, connect to Internet, etc.


All the above operations can be considered as not malicious but if they are performed when it´s not expected, that´s something we must take in consideration. Therefore it´s not only important to consider what actions are performed. It´s also important to consider if it´s reasonable certain actions are performed.


Buster Sandbox Analyzer is freeware. If you like this software, please, buy a license of Sandboxie.


Actually there are web services, software and hardware doing the same task than Buster Sandbox Analyzer.


Web services:


http://www.joesecurity.org/

(Joebox)

http://anubis.iseclab.org

(Anubis)


http://www.norman.com/security_center/security_tools/submit_file

(Norman)

http://www.gfi.com/malware-analysis-tool/

(GFI Sandbox)


http://www.threatexpert.com

(Threat Expert)


http://camas.comodo.com/cgi-bin/submit

(Comodo Instant Malware Analysis)


http://www.xandora.net/cloudantivirus/

(Autovin - Automated Tools for Virus Incidents)


https://aerie.cs.berkeley.edu/

(BitBlaze Malware Analysis Service - Offline)


http://eureka.cyber-ta.org/

(EUREKA Malware Analysis)


http://www.xandora.net/xangui/

(Suspicious File Analyzer)


http://malbox.xjtu.edu.cn/

(Malbox)


http://vicheck.ca/

(ViCheck)


http://netscty.com/Services/Sandbox

(Network Security Investigations)


http://www.malwr.com/

(Cuckoo)


https://www.codexsolution.com/soluciones/products/codex-malware- analyzer/submit-sample

(Jambo)



Malware analyzing software:


http://www.cuckoobox.org/

(Cuckoo)


http://www.norman.com/enterprise/all_products/malware_analyzer/

norman_sandbox_analyzer

(Norman Sandbox Analyzer)


http://cert.at/downloads/software/minibis_en.html

(Minibis)


http://zerowine.sourceforge.net

(Zero Wine)


http://zerowine-tryout.sourceforge.net/

(Zero Wine Tryouts)


http://www.malwareanalyser.com/home/

(Malware Analyser)



Malware analyzing hardware:


http://www.validedge.com/

(validEDGE)



Web services are free of charge and can be used publicly.


Zero Wine is an open source project but it has been abandoned.


Zero Wine Tryouts is a resumed version of Zero Wine.


Minibis has not been updated since 2011-06.01 .


Norman Sandbox Analyzer is a professional malware analyzer and it´s oriented to professionals due the price of the product. The same happens with validEDGE and GFI Sandbox. Joe Sandbox is also paid software.