CWSandbox: automating malware analysis
A public demo of CWSandbox is now available. This is a tool that allows researchers to analyze the behaviour of suspected viruses, trojans and the like by executing the code inside a virtual environment then recording what Windows API calls it makes.
According to the developer’s paper, API calls are trapped by injecting a custom DLL. This same technique is used by malware such as keyloggers to modify the behavior of once-trusted apps, as well as by host intrusion prevention software and other benign software. Tools like this have been used internally by anti-virus companies for years… it’s great to see a publicly available tool that less well-funded researchers can use.
Of course, malware authors could also use it to test new stealth techniques… for example by detecting the injection and working around it. Some malware already alter their behavior when they detect they are running inside a virtual environment like honeyd or Vmware. It’s safe to assume that the folks running this demo site are watching and keeping copies of everything uploaded. Should a malware developer start using it for testing, researchers will be able to follow along and lean about any new malicious techniques.
Related posts: