{"id":3237,"date":"2015-09-24T13:32:51","date_gmt":"2015-09-24T13:32:51","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=3237"},"modified":"2015-09-24T13:32:51","modified_gmt":"2015-09-24T13:32:51","slug":"enter-sandbox-part-9-message-is-in-a-bottle-and-sometimes-in-a-box","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2015\/09\/24\/enter-sandbox-part-9-message-is-in-a-bottle-and-sometimes-in-a-box\/","title":{"rendered":"Enter Sandbox \u2013 part 9: Message is in a bottle, and sometimes in a box"},"content":{"rendered":"

Running programs and expecting them to behave is nothing, but a\u00a0wishful thinking. When you start processing thousands of files you quickly\u00a0discover that the reality of automated dynamic software analysis is quite harsh. Component and software dependencies, missing command line arguments, crashes, annoying nag screens, installers using non-standard GUI toolkits, software written for older OS, or frameworks,\u00a0expired evaluation versions of software protection schemes, trials, evaluation copies of shareware, pranks, corrupted files, uninstallers, and many more make the samples misbehave.<\/p>\n

Once executed, many samples simply exit – not necessarily in a very graceful way.\u00a0Analysis fail.<\/p>\n

There is no easy way to force these applications to actually run – typically, manual analysis are required to create a new behavioral rule (often with a patch) that will force this, and similar apps in the future to execute further, beyond the exit condition. Sometimes it’s not even possible. Notably, patches can be applied not only to the samples, but also to the analysis system (f.ex. install missing dependencies like a specific version of\u00a0.NET, old-school OCX, old Borland files, etc.). It may be also necessary to bypass software protection schemes i.e. crack samples\u00a0– legality of it is somehow shady.<\/p>\n

To apply these patches and workarounds, one needs to analyze existing conditions that cause these samples to fail. Surprisingly, lots of them can be found by reading\u00a0the\u00a0message box captions and texts. As usual, this is not a trivial task since we deal with many languages, many different cases, and uncertainties, but it is possible. But patterns can be observed.<\/p>\n

For starters, let’s look at expired software protection schemes. There are lots of malware samples where author used an evaluation version of the protection scheme\u00a0with the aim of hiding the actual payload. When the sample is executed the protection scheme checks the conditions and if the evaluation period expired, it just prevents the app from running. One could argue that if evaluation \/ trial \/unregistered version is detected, it alone is a good condition to classify\u00a0sample as potentially unwanted, at least. Still, it does require signatures (either static or dynamic) to detect this sort of samples.<\/p>\n

Here are some examples:<\/p>\n

\"expired1\"<\/a><\/p>\n

\"expired2\"<\/a><\/p>\n

\"expired3\"<\/a><\/p>\n

\"expired4\"<\/a><\/p>\n

\"expired5\"<\/a><\/p>\n

\"expired6\"<\/a><\/p>\n

\"expired7\"<\/a><\/p>\n

\"expired8\"<\/a><\/p>\n

\"expired9\"<\/a><\/p>\n

\"expiredA\"<\/a><\/p>\n

\"expiredB\"<\/a><\/p>\n

The missing component scenario is also very common. While Visual Basic and Borland C are no longer that popular, \u00a0there are lots of old samples out there\u00a0belonging to a\u00a0software written in these old programming platforms. Sandbox should be expecting these in a queue…<\/p>\n

Again, a few examples:<\/p>\n

\"missing1\"<\/a><\/p>\n

\"missing2\"<\/a><\/p>\n

\"missing3\"<\/a><\/p>\n

\"missing4\"<\/a><\/p>\n

\"missing5\"<\/a><\/p>\n

\"missing6\"<\/a><\/p>\n

\"missing7\"<\/a><\/p>\n

Large repositories of samples can’t escape\u00a0programs written for localized\u00a0versions of Windows.\u00a0Running such applications on English OS\u00a0leads to ‘garbage’ message boxes showing up with lots of gibberish that have no particular meaning and it’s hard to deduct what they mean, until\u00a0analyzed.<\/p>\n

Here is an example of such message box:<\/p>\n

\"korean\"<\/a><\/p>\n

It turns out that it’s not a crash – just a message telling the user:<\/p>\n