Numerous malware-related breaches occur every day and a vast amount of malware samples are distributed around the...
world on a daily basis as a result. The techniques attackers use to spread malware and keep it undetected are becoming more evolved, and harder to detect and analyze. Malware spreads through different attacks vectors like email attachments, drive-by download attacks and watering hole attacks. Because there are so many malicious malware samples, automated malware analysis services are becoming necessary in winning the cyberwar. This tip discusses different cloud-based automated malware analysis services that analyze binary samples and determine whether they are malicious or not.
Currently there are so many malware samples being used every day that if every security researcher were to analyze those samples, they couldn't do it manually in real time. Therefore, organizations need a better automated approach to obtain the necessary information about malware samples. Despite malware samples constantly targeting different sectors of businesses, only a handful of them are actually using new techniques. The majority of malware samples are a simple derivation of known malware samples, where the code has only been changed slightly to make it undetectable.
In order to automate the malware analysis process, organizations can use one of the cloud automated malware analysis platforms, like Anubis or Malwr, among others. Automated malware analysis tools can't successfully analyze all existing malware samples, because some of the samples are too complex to analyze through an automated approach. The most advanced malware samples will use different techniques to determine whether they are being analyzed and if so, they will terminate immediately. These types of malware samples usually use certain techniques to detect whether they are being executed in an automated malware analysis environment, including:
- Detecting a sandbox: A sandbox is used to separate the program from the rest of the system, so the program can't interact with the system. Therefore, sandbox is an ideal way to analyze a malicious code sample in its own virtual environment. Depending on the malware, it can detect whether it's being executed in the environment and can therefore terminate immediately. An example of a sandbox environment is Sandboxie, which can sometimes be used for malware analysis.
- Detecting a debugger: A debugger is usually used to manually analyze a binary executable, allowing visibility into the code one step at a time. Breakpoints can also be set and the program execution will stop when it reaches that breakpoint. A malware sample can use different techniques to detect whether it's being debugged, and then it can terminate unexpectedly. A debugger is not normally used in cloud-based malware analysis services, but appropriate techniques are nevertheless often incorporated into the malware to prevent manual inspection.
- Detecting a virtual environment: Most of the cloud-based automated malware analysis services use some kind of virtual environment for malware analysis. VMware, VirtualBox and Qemu are used most commonly, but other virtualization programs can also be used. Virtualization is so often used to automate malware analysis because it has different capabilities that security professionals would otherwise have to run themselves. When running a PE executable malware on a Windows operating system, it can infect the whole system. If it contains a privilege escalation exploit, it can potentially gain administrative interface to the system. Therefore, after running malware on a system, the system is infected and cannot be trusted anymore. This is why running any more samples on the same system would only make matters worse. Snapshots are being used with virtual machines (VMs) now because malware labs can be easily set up by creating a few VMs running different operating systems together with analysis tools. Then, after running the malware sample in one of the VMs, revert to the previous snapshot and start with a clean system ready to analyze another malware sample.
See Infosec Institute's accompanying article on the Comparison of Cloud Automated Malware Analysis Tools.
Cloud malware analysis services
There are plenty of automated malware analysis services on the Internet, most of which are free and can be used by anyone. Those services are presented below. The services automate a big part of the malware analysis process, and are useful in obtaining more details about the malware sample -- a process that could take hours or even days using a manual approach. Some of these services include: Anubis, Comodo, Malwr, Threat Expert, Threat Track and Vicheck.
Analyzing the binary sample
When analyzing a new binary executable, it's important to determine two things: Is the binary sample malicious and if so, what does it do?
The first step is to verify whether or not the binary sample is malicious. VirusTotal is a cloud-based service that can do that. The user has to upload the binary sample so it can be analyzed by the automated analysis environment. The results determine whether or not the submitted binary is malicious -- the reports consist of a number of antivirus programs indicating whether or not the file is malicious. At the end, the findings are calculated and the service will display the statistics. VirusTotal also presents other interesting information that might be useful, like MD5/SHA1 of the submitted file and all of its sections, the names and size of the sections, the imported modules and used functions and so on.
Once it's verified the binary is malicious, upload the sample for analysis to the cloud-based automated malware analysis services. The services use a VM in the background and try to analyze malware based on various available techniques. The final result of the analysis will be considerably more detailed than with VirusTotal. Depending on the analysis service, screenshots of running malware can be attached to the report, dropped files will be logged, accessed and modified registry keys will be reported, network activity will be monitored, and much more.
Using automated malware analysis tools with malware inspection tools
Cloud-based automated malware analysis services are a great utility that can help analyze binary executable samples. They are indispensable in malware analysis because they quickly show whether the binary file is malicious and what it's doing. But since the services use a scripted automated way of detecting all that information, they can also be detected and subverted by the malware.
Cloud-based automated malware analysis tools and services should not be a substitute to manual malware inspection; it's best to use them together with manual analysis. It's not possible to inspect every malware sample manually because it would take too much time and cost too much money. Cloud-based automated malware services should be used to rule out the majority of malware that has already been analyzed and processed. The rest of the malware samples should instead be analyzed manually and the strategy behind doing so should be implemented into the automated approach for the future. Therefore, the automated approach will be able to analyze similar malware samples without needing a malware analyst's supervision.
About the author:
Dejan Lukan has an extensive knowledge of Linux/BSD system maintenance, as well as security-related concepts including system administration, network administration, security auditing, penetration testing, reverse engineering, malware analysis, fuzzing, debugging and antivirus evasion. He is also fluent in more than a dozen programming languages, and regularly writes security-related articles for his own website.
Check out the best antimalware tools for enterprise defense according to Nick Lewis.