Tuesday, April 14, 2015

Improved webservice statistics and a new feature called 'Behavior Chronology'

Actually, we had meant to use this blogpost to write about specific malware samples and forensic investigation techniques applied to such specific samples, but our latest development tasks are taking up all the time of the team right now. Since we don't want our users to miss out on any of the latest additions, we are going to briefly outline some new features in yet another update blogpost.

Webservice Statistics


We made a complete 'rehaul' of the webservice statistics page. It is something we had been planning to do, because there is some really neat things possible using the report data - and now that we have more than 8000 reports in our database - we thought the time was ripe. Over time, we will surely add more and different output, so this is really just an introduction. The new webservice statistics include information on:
  • Potentially Interestings Samples (Original AV% < 10 with Threat Score > = 80)
  • A nice area spline that shows the reports generated over the past 100 days
  • The top 20 file types processed on the webservice
  • The top 20 file packers detected on the webservice
  • The top 20 virus families detected on the webservice
  • A new 'AV Detection Distribution' that shows how many AVs trigger on a given sample (e.g. only 2% of the time more than 90% agree a file is malicious)
  • A top/bottom statistic of matched signatures (with a search link if you hover the pie)
  • Some additional facts (like the % of users sharing samples with the community)


What we really like the most is the 'Potentially Interesting Samples' section, because it is a really fast way to dive into reports that might contain something new (and these reports usually underline the strengths of a sandbox system). Why? Because if the AV detection is 'low' (it's usually always the same candidates that perform well) and the 'Threat Ratio' (which is calculated by our sandbox system and mainly based on the behavior signatures and a predefined relevance) is high, the input sample is probably a new variant or implementing some interesting tricks to avoid AV detection.

A nice 'fun fact' is that nearly 80% of all uploaded samples are also shared with the community. We think that is really a great positive signal and shows the character of the IT-Security community (at least of our users).

Behavior Chronology

This feature is really new and was actually added to all new generated reports this morning. Basically, it's a new diagram that puts behavior signatures which are based on some kind of 'time-related event' (like an API call, a registry access or file event) in a chronological order, specifically by the first time the associated signature triggered. This is not per-process, but a very global view on what is happening on the underlying system. The following diagram shows an example:



Hovering over some of the bubbles (by the way: their size is based on the relevance of the associated signature), we can quickly get a brief impression on what the file is doing. At the beginning, it queries the machine version, the windows account name, etc., then it starts sleeping for a long time and eventually prepares some internet related things (modifying the proxy settings) and persists itself. Here is a link to the report associated with the diagram above. This global perspective (as it's not per-process) on specific behavior 'events' (especially with our growing signature database) should give some unique and added insights into the 'what happens when' part of investigation. Also, some meta-signatures that could trigger when detecting specific event sequences could be added in a future version. Either way, in our opinion the feature shows that automated malware analysis and digital forensics is an 'open end' topic and there's so many things still waiting to be implemented.

If you have any questions or would like to make feature suggestions, feel free to use our contact form and we will get back to you shortly.