Last month we published an article "Hybrid Analysis - NextGen Technology for Advanced Malware Payload Detection" that outlined our StaticStream core engine and also appeared in the July's edition of the Hakin9.org magazine. It outlined some aspects of automated malware analysis systems, specifically that the "NextGen" automated systems will require a combination of dynamic and static analysis techniques in the future, because VM detection on the malware end is growing stronger and the preset environment does not always meet the conditions to trigger the interesting payload. In other words, it is important to detect and analyze non-executed code sequences at runtime. We understand this requirement and since we have been building on some in-house tools to extract run-time data from malware decided to take things one step further and automate the process, creating a fully automated malware analysis system that we call VxStream Sandbox, to a degree borrowing its name from the "streaming architecture" of StaticStream that is a core and integral part of the overall system. In this blogpost, we will outline some of the features the new system has and give a brief overview.
Description
|
In-depth analysis
of 32-bit executables on all compatible Windows Operating Systems
|
High-speed
algorithms that allow in-depth analysis within minutes
|
Flexible hooking
system to monitor run-time behavior
|
Intelligent
process monitoring that follows malware injecting into system/user processes
|
Implements common
anti-VM detection techniques (e.g. undetectable to paranoid fish)
|
Hybrid Analysis integrated (combination of static and dynamic analysis)
|
Dormant code
detection based on executed function calls
|
Injected
memory logging for in-depth analysis (shellcode detection)
|
API calls
with parameter values/names, register values and call stack
|
Full Registry
access, Process Handles, Mutants, etc. monitoring
|
Memory
snapshots to detect unpacked code during runtime
|
Open and
configurable behavior signatures, add your own signatures
|
Third-party integration
of e.g. YARA signatures possible
|
Extensive
pure static analysis on sample (imphash, ssdeep, etc.)
|
Unique
screenshot detection
|
Dropped/created
file detection for multi-stage analysis
|
Network
traffic filters and extraction of key data (HTTP request/contacted hosts)
|
Extensive XML
and JSON reports for post-processing
|
Optional
(automatic) persistence of reports into supported databases
|
Wide range of
configuration options and logging features
|
As we can see, the list of features is already quite extensive, but there is always room for improvement. Since we are very convinced of (and seen already) the real-world practicability of our software system, we are going to invest more resources into taking it to the next level.
The following diagram outlines the overall system quite well (from a "birds perspective"):
As we can see, it is quite straightforward and the general data processing (with parallelization) is the conversion of an input sample to an in-depth report that is machine parsable. Of course, the behavior signatures that are applied to the extracted run-time and static analysis data are configurable, are ever-growing by nature of malware forensics and can be shared amongst users.
The following diagram outlines the overall system quite well (from a "birds perspective"):
As we can see, it is quite straightforward and the general data processing (with parallelization) is the conversion of an input sample to an in-depth report that is machine parsable. Of course, the behavior signatures that are applied to the extracted run-time and static analysis data are configurable, are ever-growing by nature of malware forensics and can be shared amongst users.
