This article can also be found in the Premium Editorial Download "Information Security magazine: How to dig out rootkits."
Download it now to read this article plus other related content.
One incredibly useful feature is the ability to allow mediated access to the Internet using powerful filtering tools. Access to the Internet can be controlled in many ways--remote connections can be "faked" by Analyzer Pro, access to the real Internet can be allowed, or the analyst can alter packets being sent or received from the Internet on-the-fly.
Recent malware often has a networking component that can only be fully investigated using this feature. For example, the behavioral aspects of a bot program can be fully understood if it is allowed to contact its command and control server.
Analyzer Pro is a powerful tool for combining code-level analysis with extensive behavioral monitoring and logging, but it has a steep learning curve. The main analysis tool is a specialized debugger that allows the analyst full control over the execution of the program at a granular level.
This is not a tool for neophytes. Even with years of experience using debuggers and code analysis tools, we found Analyzer Pro to be very confusing at times. We had to analyze several dozen pieces of code before we felt reasonably comfortable with the tool's quirks.
If your organization
Perhaps the greatest problem is documentation. Analyzer Pro was obviously originally developed by Norman as an internal analysis tool, and that heritage is evident in its documentation. It is poorly written, confusing and assumes a level of expertise that makes Analyzer Pro unsuitable for anyone but a seasoned malware analyst.
Although it lacks polish in its user interface and its documentation, SandBox Analyzer Pro's powerful and flexible feature set makes it a desirable tool for seasoned malware analysts. Beginners will find it frustrating and confusing, but mature code analysts will find it a welcome addition to their toolkit.
Testing methodology: Analyzer Pro was tested on a Windows XP Professional machine with a 1.8 GHz processor and 1MB of RAM. Testing was done by analyzing a variety of sample code (from the reviewer's malware "zoo") using the tools provided. Tests were performed using known benign code and previously analyzed malware samples.
This was first published in September 2007