robybret - Fotolia


Which cloud malware analysis tools suit you best?

Deciding on cloud malware analysis tools can be a confusing process for organizations. Here's how to know which one is right for your business.

When a company becomes infected with malware, it's first step is to remove the infection. In order to do so, a...

malware analyst must analyze the malicious sample to determine what the malware does and how it hides itself. But there are many ways attackers can hide the presence of malware, which makes it difficult for the malware analyst to check everything. A cloud malware analysis service can speed up the malware analysis process through automation.

There are many cloud malware analysis tools and services available that can be used freely by anyone with an Internet connection. Over the years though, many large players have fallen off and are no longer available, including Aerie, CWSandbox, Malbox, VisualThreat, XecScan and Norman Sandbox.

Some of the current services have not been updated for some time, but are still functioning and useful in malware analysis.

Supported file formats and document types

Every cloud malware analysis service supports only a fraction of all file formats and document types in which malicious code can be injected.

Over the years, malware has been spread many different ways, always with the goal of reaching a wide audience and infecting as many computers as possible. Malicious payloads can be found in various file formats and document types, so the files and documents should be analyzed for such occurrences as part of the threat detection process. A malicious payload in a PDF document, for example, can be found by a malware analysis service only if the service has a PDF support that allows it to be dissected, with each part analyzed separately. A PDF can contain malicious JavaScript code, so whenever a PDF dissector finds a JavaScript element, it must scan the PDF with a JavaScript analyzer to determine whether the JavaScript is malicious or not. The JavaScript inside a PDF can be harmless, so the service shouldn't automatically flag the document as malicious. If it does, the analysis is regarded as a false-positive.

Companion article

See Infosec Institute's accompanying article on the Comparison of Cloud Automated Malware Analysis Tools

Attackers often hide malicious payloads inside widely used file formats and document types, not just PDFs. A malicious payload can be inserted into any data that is fed to a program where it is parsed and used. Because of that, cloud malware analysis services cannot analyze any kind of input data, but are instead limited to file formats and document types the malware is using for spreading the malicious payload. It wouldn't be beneficial to include support for some input data that is rarely being used by malware, but it's a great advantage to support items being widely used by malware samples, like Windows executables.

Each cloud automated malware analysis service is focused on providing analysis platforms for a wide range of file formats and document types. The table below presents all file formats and documents types supported by every cloud malware analysis service. Each of the rows presents a file format or document type used by malware for injecting a malicious payload into, while the column presents the cloud malware analysis service.

Depending on the type of file being analyzed, the table can be used as a reference to look for a service that supports the analysis of a corresponding file. For instance, if a security professional at an organization would like to analyze a Windows executable, he can reference the chart and know to use services A, C, J, M, TE, TT or V for analysis. When multiple services are available, he can use all of the services and decide which one works best for his organization. Often multiple services can be used at the same time, since some are able to determine information about the malware sample that others are not capable of, and vice versa.

Choosing the right cloud malware analysis tool

There is a vast variety of cloud malware analysis tools and services in widespread use today. Every service supports only a fraction of all file formats and document types in which malicious code can be injected. Therefore, depending on the file to be analyzed, the service that best supports its corresponding file format or document type can be used. There are many use cases where an attacker can inject a malicious payload to a file format or document type not supported by any of the services above. The only problem in doing so is that the attacker won't be able to reach a wider audience, since the file format or document type is probably not used by many people worldwide. For this reason, attackers mainly focus on file formats and document types used by millions of people, which allows them to gain access to as many computers as possible with the least amount of effort.

Even if the file format and document type is supported by a malware analysis service, it doesn't mean it will be able to analyze it correctly. Some malware samples use anti-detection techniques, which are able to determine whether the malicious payload is being executed in an automated malware analysis environment, in which case it terminates immediately. Cloud malware analysis tools should be used only as a means to speed up the analysis process, while the analysis should be done under the supervision of an experienced malware analyst.

About the author:
Dejan Lukan has an extensive knowledge of Linux/BSD system maintenance, as well as security-related concepts including system administration, network administration, security auditing, penetration testing, reverse engineering, malware analysis, fuzzing, debugging and antivirus evasion. He is also fluent in more than a dozen programming languages, and regularly writes security-related articles for
his own website.

Next Steps

Why even bother with cloud-based malware analysis tools? Dejan Lukan discusses the benefits of these products

Dig Deeper on Cloud Computing Security Issues: Incident Response - Data Breach Prevention