Cwsandbox - c. 10 Botnets Book,  Carsten Willems

sandbox - 
	may be virtual
	may be windows
	may be linux

norman site is one example: 
	http://www.norman.com/Virus/Sandbox/en-us
	upload malware
	get report based on execution
	system is simulated

	other examples exist including cwsandbox, truman, etc.

LARGE question:
	can malware determine if it is in box?
	is real windows box better than fake virtual box?
	of real virtual box?

generic approach
	execute the sucker
	note its system calls
	notes it network activity
		talks to IP address X with IRC/HTTP/FTP whatever

CWsandbox
	behavior analysis

	"hook" windows api, meaning
		observe network activity	 
		registry
		files

	hooking means in effect important system windows functions
		are "wrapped" in code that record their behavior
	
	network is principle focus 

	backdoor.ircbot.s, etc is name of sample malware
	uses MD5 hash as file example

	XML output report generated

	cwsandbox basically "analyzes" but it does not clean up.

	other tools need to be used to wipe the box and start over
		note:  *wipe*, reimage, etc.

results:
	observations:
		1. windows malware may arrive at point X, but will
		join c:\windows *.exe *.dll, etc.. to blend in with the crowd.
		Therefore e.g., might start at c:\ but then moves to
	        a spot where it is easier to blend in.

		2. mutexes in use may give info about malware families
		as they don't necessarily change

		3. this bot first tries to DNS resolve:

		sexccc.serveftp.com
		sexccc.ath.cx <- this one works

		initiates IRC connection via IRC NICK command,
		|XP|DEU|P|00|gcoDZauX
		channel name="##foo##

		4. malware opens backdoor on a TCP port 1910

		5. may show bot scanning for possible exploitable
		ports (port 445 etc)

		6. may "protect itself" 
			delete file shares
			kill off AV

		7. may download binary updates with http/ftp 
	
	you cannot have a false positive, because cwsandbox is only
		presenting behavior and does not check for evil bit 
	you can have a false negative, because it may not show anything
		suspicious and yet the program may do something uncaught
		(on alternate thursdays delete all spreadsheets)

	you may be able to use the tool for forensic analysis  

summary:

cwsandbox.org, commercial site:  Sunbelt Software

curious trend:
	cwsandbox may be purchased commercially and may be in use
		for checking for "targeted attacks"