A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #426  by Meriadoc
 Wed Mar 24, 2010 8:39 pm
free for non-commercial use - HBGary
 #559  by wealllbe20
 Tue Apr 06, 2010 1:32 pm
Their are many crypters out their that block online and local sandboxes.

hxxp://www.level-23.com/foro/showthread.php?t=13153


many many more crypters out their.

These crypters do work.

If you try to run this anything crypted by these crypters inside a virtual machine or you are using sandboxie they will just simply not execute.

It makes it hard to do a full analysis on these specific types of malware.
 #560  by NOP
 Tue Apr 06, 2010 2:30 pm
They are kiddie crypters that generally crypt kiddie trojans, nothing interesting there for a malware researcher.
 #561  by wealllbe20
 Tue Apr 06, 2010 2:58 pm
They may be used by kiddies, but when these crypters/packers have things that include bypassing windows uac, blocking sand-boxing and anti-disassembler attributes associated with them.

It's makes some of these malware testing websites and labs useless and people who examine malware on a higher level should know about such things.
 #562  by EP_X0FF
 Tue Apr 06, 2010 3:22 pm
Most so called anti* tricks based on analyzing hardware components of system (driver/process names of VmWare/VPC/VBox) or searching for specific dll's (as in case of sandboxie).
 #563  by NOP
 Tue Apr 06, 2010 3:29 pm
When I find a sample that PEiD recognizes as Microsoft Visual Basic 5.0 / 6.0 or Borland Delphi 6.0 - 7.0, after a quick look to check whether it is actually a kiddie crypter I just bin it. They're all based off the same loading code and usually other open source code.

If the average user tests one of these files in a sandbox, and it comes up with absolutely nothing, they should be suspicous.
Most so called anti* tricks based on analyzing hardware components of system (driver/process names of VmWare/VPC/VBox) or searching for specific dll's (as in case of sandboxie).
Some just check things like the username, like CurrentUser to detect Norman sandbox. :lol:
 #564  by EP_X0FF
 Tue Apr 06, 2010 4:58 pm
Hello,

All discussions about sandboxes moved to separate thread.
If you have more links to online link checkers or online sandboxes feel free to post it here, sticky topic Sandboxes / Online Link checkers will be updated.

Thank you.