In association with heise online

01 March 2007, 13:25

Bug allows malware to easily recognise the Sandbox Analyzer

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Norman's Sandbox emulates the execution of software and logs what it would have done on a real system. A bug allows malware to recognize the emulation and then not behave maliciously in the Sandbox Analyzer.

A bug now disclosed by Arne Vidstrom can be found in the emulated function used to output the interrupt descriptor table (IDT), a table that associates hardware interrupts with suitable handling routines. The respective Assembler command is SIDT (store interrupt descriptor table). According to Intel's documentation (PDF, see p. 192, section 5.10), the first data word of this command is a descriptor to specify the table size on a 8N-1 basis, with N describing the number of entries for occupied interrupts. But instead of returning the value 7FF, Norman's Sandbox analyzer returns the (hexadecimal) value 800.

Malware only needs to check if the return value of the first data word of SIDT is 0x800; in this case, it may just execute harmless program code to hide its true (malicious) nature to the Sandbox analyzer. According to Vidstrom, he has informed Norman of this vulnerability, but did not want to wait with publishing this security hole until a patched version is available.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit