Evading the Norman SandBox Analyzer Feb 28 2007 11:36AM
Arne Vidstrom (arne vidstrom ntsecurity nu) (1 replies)
Re: Evading the Norman SandBox Analyzer Mar 02 2007 08:49PM
John Smith (genericjohnsmith gmail com) (1 replies)
This is the same as the results found > 2 years ago as published by
Joanna Rutkowska as RedPill (http://invisiblethings.org/papers/
redpill.html) (and before that in a Usenix paper) and therefore
everyone who is interested in emulated/virtualized security already
knows that SIDT is a problem instruction.

On Feb 28, 2007, at 11:36 AM, Arne Vidstrom wrote:

> Hi all,
> Summary:
> The Norman SandBox Analyzer (http://sandbox.norman.no/live.html)
> runs malicious code samples in an emulated environment while
> logging their actions. In practice it is more or less impossible to
> make an emulated environment perfectly similar to the real thing.
> It is therefore possible to write malicious code that does not
> behave maliciously when run in the Sandbox Analyzer. Here I will
> give one example of such a technique.
> Full text at:
> http://www.ntsecurity.nu/onmymind/2007/2007-02-27.html
> I have notified Norman about the problem but have chosen not to
> wait for them to patch it. The reason being that this is not a
> regular vulnerability, but rather an example of an inherent
> weakness in emulated sandboxes in general. I assume they will patch
> this particular case shortly though since it should be very easy to
> do.
> Regards /Arne
> http://ntsecurity.nu
> http://vidstrom.net

[ reply ]
Re: Evading the Norman SandBox Analyzer Mar 03 2007 07:39AM
Arne Vidstrom (arne vidstrom ntsecurity nu)


Privacy Statement
Copyright 2010, SecurityFocus