When a company becomes infected with malware, it's first step is to remove the infection. In order to do so, a...
malware analyst must analyze the malicious sample to determine what the malware does and how it hides itself. But there are many ways attackers can hide the presence of malware, which makes it difficult for the malware analyst to check everything. A cloud malware analysis service can speed up the malware analysis process through automation.
There are many cloud malware analysis tools and services available that can be used freely by anyone with an Internet connection. Over the years though, many large players have fallen off and are no longer available, including Aerie, CWSandbox, Malbox, VisualThreat, XecScan and Norman Sandbox.
Some of the current services have not been updated for some time, but are still functioning and useful in malware analysis.
Supported file formats and document types
See Infosec Institute's accompanying article on the Comparison of Cloud Automated Malware Analysis Tools
Attackers often hide malicious payloads inside widely used file formats and document types, not just PDFs. A malicious payload can be inserted into any data that is fed to a program where it is parsed and used. Because of that, cloud malware analysis services cannot analyze any kind of input data, but are instead limited to file formats and document types the malware is using for spreading the malicious payload. It wouldn't be beneficial to include support for some input data that is rarely being used by malware, but it's a great advantage to support items being widely used by malware samples, like Windows executables.
Each cloud automated malware analysis service is focused on providing analysis platforms for a wide range of file formats and document types. The table below presents all file formats and documents types supported by every cloud malware analysis service. Each of the rows presents a file format or document type used by malware for injecting a malicious payload into, while the column presents the cloud malware analysis service.
Depending on the type of file being analyzed, the table can be used as a reference to look for a service that supports the analysis of a corresponding file. For instance, if a security professional at an organization would like to analyze a Windows executable, he can reference the chart and know to use services A, C, J, M, TE, TT or V for analysis. When multiple services are available, he can use all of the services and decide which one works best for his organization. Often multiple services can be used at the same time, since some are able to determine information about the malware sample that others are not capable of, and vice versa.
Choosing the right cloud malware analysis tool
There is a vast variety of cloud malware analysis tools and services in widespread use today. Every service supports only a fraction of all file formats and document types in which malicious code can be injected. Therefore, depending on the file to be analyzed, the service that best supports its corresponding file format or document type can be used. There are many use cases where an attacker can inject a malicious payload to a file format or document type not supported by any of the services above. The only problem in doing so is that the attacker won't be able to reach a wider audience, since the file format or document type is probably not used by many people worldwide. For this reason, attackers mainly focus on file formats and document types used by millions of people, which allows them to gain access to as many computers as possible with the least amount of effort.
Even if the file format and document type is supported by a malware analysis service, it doesn't mean it will be able to analyze it correctly. Some malware samples use anti-detection techniques, which are able to determine whether the malicious payload is being executed in an automated malware analysis environment, in which case it terminates immediately. Cloud malware analysis tools should be used only as a means to speed up the analysis process, while the analysis should be done under the supervision of an experienced malware analyst.
About the author:
Dejan Lukan has an extensive knowledge of Linux/BSD system maintenance, as well as security-related concepts including system administration, network administration, security auditing, penetration testing, reverse engineering, malware analysis, fuzzing, debugging and antivirus evasion. He is also fluent in more than a dozen programming languages, and regularly writes security-related articles for his own website.
Why even bother with cloud-based malware analysis tools? Dejan Lukan discusses the benefits of these products