Tuesday, February 3, 2015

VxStream Sandbox and Hybrid-Analysis.com - Free Malware Analysis - Evolution

What's been happening?


This blogpost will focus around the evolution of the online webservice, the cool features we added over the past weeks and demonstrate them on a couple of real world samples.

In the middle of November last year (so about 10 weeks ago) the automated malware behavior analysis service at www.hybrid-analysis.com was released to the public and since then the delicate flower has been starting to blossom a bit.



So far we've had about a bit more than 2000 analyses with ~1900 unique files, more than 25k behavior signatures matched and we had 50k page views with 6k unique sessions from 107 different countries accessing our service. The overall bounce rate is only 54% with 38% returning visitors, so we have been addressing a targeted audience. This is how the world map looks, if you colorize countries by their frequency of access to the webservice (taken from Google Analytics):



We've also been noticing that people have been using our service more and more frequently during the "work days", so it is a good sign that people are utilizing our service at a professional level:

Also, we received quite a lot of feedback and feature suggestions, that we would like to present to you in the following. Our conclusion so far: we must be doing something right.

New Major Features


Let me start out saying: we added a lot. So many features, that we decided to address only the most important ones.

Supported File Types

Right from the beginning, we had a lot of documents/PDF files being uploaded that weren't supported at first, so we focused on adding to the list of supported file types. Right now you can upload any of the following filetypes:

Documents (new!): .doc, .docx, .rtf, .xls, .xlsx, .ppt, .pptx, .pdf
Executables: any kind of Windows PE file (.exe, .scr, .dll, .pif, .com, etc.).

All of the file types are detected automatically, so you can have any suffix, it will be ignored anyway. As we also had some users request to upload their files in different archive formats, we added support for some common archive types. Right now, you can upload any archive with or without the standard password ('infected') with the following archive format:

zip, 7z, xz, bzip2, gzip2, tar, wim

We also added support for uploading multiple files in a single archive. For more information on the special syntax required, please get in touch with us using the contact form on our company webpage.

Extended Document Parsing

Of course, an analysis system could just open e.g. a WORD document file and simply watch what's happening (network traffic, dropped files or new processes being created). Often though this approach requires a potentially embedded exploit to trigger, so we added parsers that extract VBA macros or embedded Javascript in PDF files for which the extracted data is piped to our signature interface. This comes in handy, especially if the document exploit doesn't trigger, because e.g. the shellcode/macro itself often contains valuable indicators already, even if it is obfuscated.

Here is an example of VBA macro extraction:



Improved YARA integration

One of our users creates YARA signatures based on extracted process memory strings, so we extended our YARA integration to run especially on these kind of strings to demonstrate the functionality. Actually, we use the small set of YARA rules in-place now to classify RATs:




Parsing Screenshots using Optical Character Recognition (OCR)

Although this idea isn't new, we decided to add some simple OCR parsing of the screenshots our analysis system takes in order to demonstrate how easy it is to add a complex process into the existing system and achieve a result that - due to its generic character - will apply also to unknown samples in the future.


Brushed-up the "Extracted Strings" section

Another nice addition was the brush-up of the extracted strings section, which now includes multiple tabs that list a pre-selected subset of all strings, strings extracted from screenshot parsing, strings extracted from a dropped file/the input sample (binary scan) or strings from the various analyzed processes. With the ability to download all memory-extracted strings we think the new "Extracted Strings" section adds more depth and overview. If you click the "Details" button, more information on the origin of the string (what type of file or event was the cause) is displayed:


Behavior Signatures

Our "daily business" is to add behavior signatures, as they trigger on a variety of different events and offer a quick overview and valuable indicators at the same time. Signatures can trigger on registry accesses, file operations, on strings, created mutants, a specific API call, on AV test results, extracted instructions from our disassembly "streams", and so forth and so on. We have been adding a lot of signatures since the service started (old report run-throughs might not include all the latest and greatest) and nearly doubled our signatures in-place with 180+ signatures serving right now. If you come by a sample that shows behavior you believe is not being reflected by a signature (i.e. you think a specific signature is missing), just let us know and we will add it if possible.

Summary


In this blogpost we presented the major features that were added over the past weeks to the service and sandbox system. Of course, we also had a lot of other smaller features/visual improvements that we implemented to the reports silently (e.g. the display on tablets/mobile phones) and improved the runtime monitor (e.g. better .NET sample loading and monitoring of system processes), but it would be out of the scope of this blogpost to list every tine addition/change. Overall, we believe that our system is moving in the right direction, also based on the feedback we have been getting. We have a very ambitious roadmap for 2015 and will let you know when we reach our next milestone.

We hope you enjoyed this brief summary and continue using our free service and don't stop on the feedback.

One last advertising side-note: If you are interested in purchasing the full version for an on-premise installation (the entire system is available as a standalone) and/or want to run your own private cloud service, please get in touch using our contact form and we will get back to you with more details.