bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Evading the Norman SandBox Analyzer

from [Arne Vidstrom] [Permanent Link][Original]
To: bugtraq@securityfocus.com
Subject: Evading the Norman SandBox Analyzer
From: Arne Vidstrom <arne.vidstrom@ntsecurity.nu>
Date: Wed, 28 Feb 2007 12:36:53 +0100
Delivered-to: sp-com-lists@consult.net
Delivered-to: bugtraq-list@securepoint.com
Delivered-to: mailing list bugtraq@securityfocus.com
Delivered-to: moderator for bugtraq@securityfocus.com
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@securityfocus.com; run by ezmlm
User-agent: Thunderbird 1.5.0.9 (Windows/20061207) 
Hi all,

Summary:
The Norman SandBox Analyzer (http://sandbox.norman.no/live.html) runs malicious code samples in an emulated environment while logging their actions. In practice it is more or less impossible to make an emulated environment perfectly similar to the real thing. It is therefore possible to write malicious code that does not behave maliciously when run in the Sandbox Analyzer. Here I will give one example of such a technique. 

Full text at:

http://www.ntsecurity.nu/onmymind/2007/2007-02-27.html
I have notified Norman about the problem but have chosen not to wait for them to patch it. The reason being that this is not a regular vulnerability, but rather an example of an inherent weakness in emulated sandboxes in general. I assume they will patch this particular case shortly though since it should be very easy to do. 

Regards /Arne

http://ntsecurity.nu
http://vidstrom.net
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Evading the Norman SandBox Analyzer, Arne Vidstrom <=
Previous by Date:  Re: Xbox 360 Hypervisor Privilege Escalation Vulnerability, gera
Next by Date:  [USN-428-1] Firefox vulnerabilities, Martin Pitt
Previous by Thread:  Cisco Security Advisory: Cisco Catalyst 6000, 6500 and Cisco 7600 Series MPLS Packet Vulnerability, Cisco Systems Product Security Incident Response Team
Next by Thread:  [USN-428-1] Firefox vulnerabilities, Martin Pitt
Indexes:  [Date] [Thread] [Top] [All Lists]