Showing posts from May, 2012

Bredolab author jailed, rehash of Bredolab analysis

Just read that the Bredolab botnet author was sentenced to 4 years in prison in Armenia.
In July 2010, when Bredolab was in it's heyday I used Netwitness Investigator to do analysis of a Bredolab-infected host. In honor of Georgy Avanesov's arrest, following is a reprint of the resulting toolsmith article. Bredolab samples and PCAPs available upon request via email or @holisiticinfosec. Netwitness is now in version, so some of the guidance and how-to herein may have changed.

Prerequisites Windows operating system (XP/2003 or later)

Introduction As I write this month’s column I’m on a plane returning from the 22nd Annual FIRST Conference in Miami. As always, in addition to a collection of the world’s finest computer incident response teams, there were a select number of vendors. I will be honest when I admit that I typically avoid conference vendor booths unless the swag is really good, but some of my favorites were in attendance including Mandiant and Secunia. When I not…

toolsmith: Buster Sandbox Anayzer

Sandboxie 3.64 or later

On April 10th, 2012 a new version of Sandboxie was released, and on April 16th so too was a new version of the Buster Sandbox Analyzer  which uses Sandboxie at its core. Voila! Instant toolsmith fodder.
It’s been a few months since we’ve covered a malware analysis-specific tool so the timing was excellent.
Buster Sandbox Analyzer is intended for use in analysis of process behavior and system changes (file system, registry, ports) during runtime for evaluation as suspicious. You’ll find it listed among the Sandbox Tools for Malware Analysis on one of my favorite Internet resources, Grand Stream Dreams.
As always, I pinged the developer and Pedro Lopez (pseudonym) provided me with a number of insightful details.
He releases new versions of Buster Sandbox Analyzer on a fairly regular basis, version 1.59 is current as I write this. There’s an update mechanism built right into BSA; just click Updates then Check for Updates.  Pedro ha…