Security Laboratory

Security Laboratory

Sec Lab: Security Products

In 1995 if you wanted a security product, you downloaded the source and compiled it on your Sun 3, today we buy supported commercial products: this series on the security lab is to introduce you to some of the products out there and, when possible, the movers and shakers that are part of the team that creates these products.

Other Related Articles in Sec Lab: Security Products

Interview About The Norman Malware Analyzer

By Stephen Northcutt

We worked the show floor pretty hard at RSA 2007 San Francisco and this is one of the most interesting products that we saw at the show. To help you get to know it better, we have asked two of the brilliant minds, Righard J. Zwienenberg and Kurt Natvig, behind the product to join us for an interview. The name of the product tells you what it does, but we will try to bring it to life in this article.

Righard, how did each of you get involved with Norman?

I started dealing with computer viruses in 1988 after encountering the first virus problems on a system at the Technical University of Delft.

Wow, sorry to interrupt, 1988 was an exciting year, the Morris Worm and also Brent Fix neutralized a worm in the wild paving the way for Anti-Virus products[1,2], where did you go from there?

Righard Zwienenberg has studied virus behavior and presented solutions and detection schemes ever since. Initially he started as an independent consultant, then in 1991 he co-founded CSE Ltd where he was the Research and Development Manager. In October 1995, Zwienenberg left CSE and one month later he started at the Research and Development department of ESaSS BV - developers of ThunderBYTE - to reinforce the team and have some new challenges in life. In 1998, Norman Data Defense Systems acquired ESaSS and Zwienenberg joined the Norman Development team where he is working on the engine of Norman Virus Control and represents Norman in several cooperation-bodies. At the end of 2005 Zwienenberg took the role of Chief Research Officer at Norman. Zwienenberg has been a member of CARO since 1992 and co-founded AVED. He is a frequent speaker at conferences - among these Virus Bulletin, EICAR, AVAR, RSA, etc - and seminars. His interests are not limited to viruses but have broadened to include general security issues and encryption technologies over the past years.

Fantastic, let's hear about Kurt!

Kurt Natvig started programming in 1987 on his Commodore Amiga 500. Kurt started working for Norman ASA as a junior programmer in 1994. In 1995 he started writing on Norman's Scanner Engine where he began developing Norman's first emulator. In 1996 he was promoted to Senior Software Developer. In 1999 Kurt was elected as a CARO member, and is also a member of AVED. He first introduced the Norman SandBox during presentations at the Virus Bulletin Conference in 2001, 2002, and 2003. Then the SandBox was launched as part of Norman Virus Control in June of 2003, followed by the launch of the Norman SandBox Information Center in 2004.

Kurt, what led to your interest in sandbox technology?

It started in around 1999, when the DOS virus ACG showed that regular emulation for decryption wasn't good enough. It all started with writing a DOS kernel and then it extended to a "BIOS" for reboot etc. I could then "force" DOS viruses to "infect" other files on the simulated "hard-disk" using pure simulation & emulation. Over time this system has grown and grown; and if I've known then what I do now on how comprehensive everything needs to be, I've probably wouldn't have started. It's taken many years & many tons of blood pressure medicine to research & write support for all those libraries and APIs which resolves around the Win32 subsystem.

Oh my! We haven't thought about ACG in a long, long time; brings back memories of reading the famous Hunting for Metamorphic paper.[3] OK, Righard, the malware analyzer is very interesting, do you find organizations are excited about this?

Yes indeed. Most companies have heard about the Norman SandBox technology, but their interest becomes peaks after they see it. Not only does it give them powerful analysis capabilities, it also speeds up there process. They do not have to wait for an answer from a third party or analyst, but instead have an almost instant answer. On top of that they do not have to send potential critical and confidential files to the outside.

This is a great point. we had read about it, but it was seeing the device at the show that was the aha moment. They were kind enough to let Stephen take the mouse and mess with a piece of malware. It is kind of a Soft Iceish feel, you can see function calls, interrupts, attempts to access Internet resources any attempt to interface with Win32. I bet people could use this for forensics.

Screen shot of Norman Data Analyzer

From a forensics point of view, they love the details and configurability of the Norman SandBox Analyzer Pro, where they can literally see, store, restore, set and modify all the details on a very low level. Combined with the new Live Internet Communicator (LIC) and the possibility to store all network traffic in Ethereal, it gives them serious forensic capabilities on network traffic and flow.

Righard, do you have a customer that is willing to make a statement about how they use the analyzer?

This is an ongoing challenge. The majority of customers purchasing Norman's analysis technology prefer to remain anonymous. They do not wish to provide cyber-criminals with information about the security software that is being used. In fact we offer a 50% discount for joining our PR efforts and most prefer to pay full price. One customer that does promote the usage of the Norman SandBox Analyzer Pro is the Norwegian Defense Research Institute (FFI: Forsvarets Forsknings Institutt).

Virtual technology seems to be finding its time, it is in a lot of security products, do you feel there are risks that should be considered? Is it possible for malware to defeat virtualization, is that the red pill/blue pill[4] lesson?

There is always a potential to detect virtualization, or worse, to break out of it. It already has been shown that it is possible to break out of VMWare. With the Norman SandBox this is not possible as nothing is really executed but simulated.

There are always possibilities to bypass virtualizations. It would be a utopia to say it different. People already have tried to bypass the Norman SandBox before, from trivial checks to rather complex ones. The trivial one was on one of Norman's first publicly available SandBox usages where the name of the machine in the SandBox was static. Don't worry, this is randomized right now. As soon as we learn that a new trick is developed to detect the presence of the SandBox, something which over time is inevitable, the SandBox team will 'assimilate' this trick and use it to our benefit.

In addition the people who try to bypass the SandBox are using the SandBox Information Center's engine to test their new trick. This engine is less flexible than the SandBox engine in the commercial tools. Also this means we have access to their new tricks before the public in some cases.

What do you think the next major evolution in malware will be?

For me personally, I think the upcoming WiMax technology where people will connect to 70 megabits/second networks up to 30 miles in range of a WiMax station. For people at home this quite often is a serious problem already properly configuring their wireless routers. They are opening up their local network that way for the outside world. Now you still need to be relatively close to the house to have a non-protected connection, but with WiMax you could be as far as 20 miles away in optimum circumstances. And WiMax users are difficult to trace (how many households in a 20 mile radius in a city.)

OK Kurt, let me get back to you for a minute. What are you thinking about adding to your sandbox and analyzer technology?

As products, the Norman SandBox Analyzer and Norman SandBox Analyzer Pro are fairly new. We will add new and powerful functions to aid the analysis of binary malware. Every new version will have some new features that will really make day-to-day work for a malware researcher easier. For example the Live Internet Control (LIC) feature we launched in version 1.03a of the Norman SandBox Analyzer Pro edition.

In the future we see the need to SandBox more operating systems, and also to extend the current support for some of the software protectors we see out there being used by malware authors. Support for Rootkits (or kernel drivers) is about to be completed and will be featured in our April release.

You have done a great job building a great product, tell us something about yourself Righard, what do you do when you are not working? Do you have a vacation planned, where will you go?

Righard: When not working, I'm drumming (something I picked up last year again after not being behind a kit for 20 years), performing or practicing magic, balloon modeling or playing with my 19 month old son (not too difficult given the previous hobbies). I like to watch movies. I'm also collecting authentic Blues Brothers material Commodore computers. Most of these are not working anymore when I them so I try to restore/repair them.


Kurt: When I'm not working, I have 9 animals (3 Bernese Moun dogs and 6 cats) in the house and a wife to attend to. I don't have many other hobbies; I played some guitar many years ago and I'm nice cars. I li /p> 1.