Bug allows malware to easily recognise the Sandbox Analyzer
Norman's Sandbox emulates the execution of software and logs what it would have done on a real system. A bug allows malware to recognize the emulation and then not behave maliciously in the Sandbox Analyzer.
A bug now disclosed by Arne Vidstrom can be found in the emulated function used to output the interrupt descriptor table (IDT), a table that associates hardware interrupts with suitable handling routines. The respective Assembler command is SIDT (store interrupt descriptor table). According to Intel's documentation (PDF, see p. 192, section 5.10), the first data word of this command is a descriptor to specify the table size on a 8N-1 basis, with N describing the number of entries for occupied interrupts. But instead of returning the value 7FF, Norman's Sandbox analyzer returns the (hexadecimal) value 800.
Malware only needs to check if the return value of the first data word of SIDT is 0x800; in this case, it may just execute harmless program code to hide its true (malicious) nature to the Sandbox analyzer. According to Vidstrom, he has informed Norman of this vulnerability, but did not want to wait with publishing this security hole until a patched version is available.
- Evading the Norman SandBox Analyzer, Security advisory from Arne Vidstrom
(ehe)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
