Anubis Sandbox Becoming Useless

Doing mostly botnet research with the samples we obtain through the mwcollect Alliance, the most interesting thing in the Anubis sandbox reports for me were the network traces. Following the lame ``run the binary in a VM, hooking all interesting APIs'' the Anubis sandbox has to really connect to the C&C server in order to get to know channel names, keys, etc.

The big problem here is, that the public online submission interface analysis machine all run on static IPs, not utilizing proxies and even worse -- having a valid reverse DNS entry pointing to Anubis. In the end, this made most ``advanced'' herders block the Anubis sandbox, as can be seen from this exemplary report (search for ``ERROR :Closing'').

Time to finally finish my own sandboxing stuff... not relying on the remote connection but on statical behavioural analysis with some emulation (packers, self-modifying code, ...).