Corporate computer networks face cybersecurity threats on a daily basis. Some of these threats consist of malware that is not yet recognized and, as a consequence, is not stopped by security solutions. This malware eventually ends up on a victim’s workstation or on a corporate server, where it can cause havoc. Malware analysis sandboxes can be used to extract useful information from this type of malware to improve your protection level.
When a security incident is caused by malware, it is important to contain the incident, assess the damage it has caused and extract information on its behavior. Collecting this information allows you to find other similar infections on your network and develop updated protection rules for your existing security infrastructure.
Indicator of Compromise
This collected information can serve as an indicator of compromise (IOC). These are artifacts on a computer that indicate a high likelihood of an infection. It is intelligence that you can use and share — for example, via STIX or CybOX — to update your security devices.
What type of information will you be looking for? Ask yourself the following questions:
- What are the file hashes (MD5, SHA1, etc.)?
- How exactly does it affect the system?
- What files does it create or change?
- Are there recognizable pointers (mutexes)?
- How does it spread or propagate?
- Does it use specific IP addresses, network ports or domains?
How Do You Get the Information?
How do you find the answers to these questions? If you have an infected machine, you can analyze it. Often, there’s not enough time to conduct a thorough investigation. It might even be difficult to pinpoint the exact malware that caused the issue.
If you have a sample of the malware, you can apply static analysis and extract the parts of the information that are useful to you. But this will not give you the same information as observing how the malware behaves in a controlled environment such as a sandbox.
There are three basic types of sandboxes:
- A custom-built lab with your own toolset;
- A purchased solution (preferably on-premises);
- A publicly available sandbox.
Having a custom-built lab or a purchased solution is not always available for everyone, either because it is too complex, too time consuming or too expensive. That is when the free malware analysis sandboxes can help. Their reports on analyzing malware are meant to give you a basic initial view on what the malware does and provide easy extraction of some basic IOCs.
What Do You Share?
Public sandboxes are, obviously, publicly available. You should understand that everything you share or upload to these sandboxes is accessible to everyone — including the bad guys.
There are a number of circumstances where you do not want to upload your samples to a public service. If you upload a malware sample that was specifically targeted for your environment, then you’re essentially giving away to your adversaries that you have detected their operations. Similarly, it’s not a good idea to upload samples that contain specific information about your environment, such as hard-coded passwords or configuration settings. You should also refrain from sharing samples that contain confidential user or customer data or material that is copyright-protected. Don’t forget, you’re sharing these files with the whole world.
If you run into a situation where you cannot use a public sandbox, then you should run an on-premises sandbox. Note that some antivirus solutions might automatically submit your samples to their networks without clearly notifying you. This is important to consider when you do the pre-analysis.
VirusTotal is a subsidiary of Google that analyzes files and URLs. Apart from the free interface, VirusTotal also has both a private and a public API.
The results from VirusTotal include the detection results of the malware by the supported antivirus engines. Although these engines are not exactly the same as the ones used by end users, they give information that tells you if the uploaded malware is already detected. This allows you to better evaluate if you are at risk.
The online reports are not individually downloadable, but they are very detailed. They give you everything you need to know on what files the malware accessed, what it changed in the registry and how it behaved. It is not possible to download the analyzed samples or get a network capture of what happened. The online report does give you an overview of the detailed network requests.
Anubis is developed by the International Secure Systems Lab and analyzes both files and URLs. It supports Windows executable files and Android APKs.
Although the interface isn’t as slick as some of its counterparts, it gives you access to everything that you need to know. The reports can be downloaded as HTML, XML, PDF or text. You can download the network captures in pcap format, but you cannot download the samples. Anubis reports also tell you if the malware communicated with specific device paths.
The VxStream sandbox is powered by Payload Security. It only analyzes files and does not do URLs. It supports Windows executable files, Office files, PDF files and executable JAR files.
You can download the reports, the network captures and the samples. The reports indicate YARA signature matching and give you information on possible anti-VM emulation checks — a technique often used by malware to prevent analysts to run the sample in a virtualized environment. The reports and analysis interface are very appealing, with an intuitive access to the necessary details.
The sandbox from Malwr is a free malware analysis service and is community-operated by volunteer security professionals. It only analyzes files and does not do URLs.
It is built on top of the Cuckoo sandbox and supports Windows executables.
You can download the samples if they are shared by the uploader. A downloadable network capture is not available, but you do get, for example, the full HTTP request in the online report. If you cannot set up your own Cuckoo sandbox, this is an excellent replacement solution.
A useful addition to Malwr is a visualization provided by MalwareViz. You first have to analyze the file with Malwr and then use the returned reference URL to feed the visualizer.
Below is a table comparing the features of the different online sandboxes. They all run different Windows flavors. The configurations are basic, but of course, these will always be different from your real production environment. This is something you’ll have to live with when using a free public sandbox.
All of the malware sandboxes provide the upload service via a secured SSL connection and give screenshots of what visually happened.
|Started processes or services||X||X||X||X|
Free online sandboxes are a great replacement if you do not have your own in-house solution. They provide good information for a basic analysis and getting some early indicators ready to scan your infrastructure for existing infections. It also provides a quick way to further protect your infrastructure.
There are some limitations, however. Integrating the information from the online reports with your own environment still requires some manual work; having access to an API will greatly improve this process. They are also not fitted for analyzing targeted malware and evaluating how malware behaves in a specific environment.
Beyond these limitations, these online tools give you good initial insight on malware behavior and are an excellent addition to your toolset for protecting your infrastructure.