August 28, 2017 By Koen Van Impe 6 min read

The continuous advancement and sophistication of cyberthreats has gradually decreased the sufficiency of traditional gateway and endpoint security solutions for protection against malware. These approaches were sufficient when malware occurred in small numbers and it was easy to differentiate between good and bad applications. Nowadays, there’s a world of unknown code — a gap between known good and known bad code that can pose a serious risk to your environment.

How do you determine whether unknown code is good or bad? You let it run in a malware analysis sandbox — a safe environment that closely resembles your real infrastructure — and observe its behavior. This allows you to learn how the malware would affect your systems and extract information about the detailed behavior of the code. In the case of malicious code, this information is called indicators of compromise (IoCs). These indicators can later be used to update your existing security solutions or detect infections that already took place.

Read the white paper: Evading the Malware Sandbox

Comparing Four Traditional Public Malware Analysis Sandboxes

In 2015, we compared four free online malware analysis sandbox solutions: VirusTotal, Anubis, VxStream and Malwr. Over the last two years, these solutions have evolved along with the threat landscape. Anubis is no longer available as a free product. That leaves three public solutions, each with its own approach:

  • VirusTotal rates detection by different antivirus engines.
  • VxStream reports on malware behavior, including screen shots and YARA rule matching.
  • Malwr is Cuckoo with the capability to report on malware behavior, including screen shots.

Let’s take a closer look at these three solutions.

VirusTotal

VirusTotal is a popular solution in the security community for file analysis and remains available as a free service. VirusTotal reports include the detection results of the malware by different antivirus engines and community-generated feedback to enrich the analysis details. This solution allows you to analyze both individual files and websites.

Over the last two years, the number of scanners included with VirusTotal has increased to support scanning of firmware malware. The solution is now also capable of handling Mac OS X apps in addition to Windows and Android.

VirusTotal offers both free and paid access. The paid solution allows you to:

  • Submit requests at a higher rate.
  • Extract more behavioral execution information.
  • Retrieve additional metadata information from submission.
  • Receive YARA notifications on the samples collected by VirusTotal.

VxStream

VxStream by Payload Security takes a slightly different approach than VirusTotal. VxStream displays the results of the malware analysis in detail, including screen shots and extracted strings from the submitted file. Compared to VirusTotal, the analysis of VxStream is more in-depth and closer to what you would expect from a malware analysis tool you would run in your own lab. The solution also provides URL-based analysis, but only if the URL contains a file.

VxStream now also includes support for:

  • Windows XP, Vista, Windows 7/8 and 10, and Android APK files;
  • Additional import formats, including MIME RFC 822 (*.eml) and Outlook *.msg files;
  • Additional export formats, including MAEC 4.1, OpenIOC 1.1 and STIX;
  • MISP reports, both in XML and JSON; and
  • Integration with VirusTotal and OPSWAT Metadefender.

The free version of VxStream allows you to download the samples and packet capture (PCAP) files. Reports include screen shots of the malware behavior. Note that the free version will not display all malicious and suspicious indicators. Similar to VirusTotal, VxStream also has a paid version with support for:

  • URL analysis;
  • Information on all malicious and suspicious indicators found;
  • Submitting requests at a higher rate;
  • Full privacy for your reports; and
  • ARA.

Malwr

Malwr is based on a Cuckoo malware sandbox analysis. In fact, the site is maintained by the core developers of Cuckoo. The benefit of the service is that you do not have to bother setting up Cuckoo yourself and can let Malwr do the heavy lifting. The solutions uses the new Cuckoo Sandbox 2.0.

Malwr only allows you to analyze files — it is not possible to submit URLs. Reports from Malwr include screen shots, offering visual information on the malware behavior. Some reports also include community comments. Analyses from Malwr can be visualized at MalwareViz.

[onespot-mobile-content]

Popular Alternatives

Besides the three malware sandbox solutions listed previously, what other options are available? Let’s review some of the most popular alternatives.

Antivirus Vendors

An oft-forgotten option is to send the malware sample to your antivirus vendor. Unfortunately, not all vendors provide detailed technical reports on the behavior of the malware. The analysis is essentially limited to checking whether an antivirus engine detects a specific sample. VirusTotal also provides this capability.

Some upload centers include:

  • McAfee for submitting viruses or malware samples;
  • F-Secure for submitting samples;
  • Bitdefender for submitting samples or URLs;
  • Trend Micro for submitting suspicious or undetected viruses for file analysis; and
  • Kaspersky Virus Desk.

Linux Malware

Most public malware sandboxes focus on Windows binaries and, in some cases, Android files. Detux, by the Indian Honeynet Project, is a Linux sandbox with support for x86, x86-64, ARM, MIPS and MIPSEL central processing unit (CPU) architectures.

Valkyrie

Valkyrie is a file verdict system by Comodo that analyzes the entire runtime behavior of a file. The web interface is intuitive and rich with features. Unfortunately, the detection rate of submitted samples was fairly low — the solution rated the samples as “No Threat found.” Valkyrie includes a free service and a paid service with more support options.

Commercial Malware Sandboxes

A fourth alternative is using a malware sandbox that is not available for free, although commercially available malware solutions are sometimes heavily priced. An alternative is VMRay, a malware analyzer that you can use during incident response. VMRay is invisible to malware. It is embedded in the hypervisor and analyzes malware behavior from that vantage point. As a result, threats execute as they would in the wild.

This analysis provides a full function log, which allows you to understand the execution steps of the malware. You can use a web interface to log into the sandbox environment where the malware is executing, possibly simulating the behavior of a normal user.

VMRay is not available for free, but nearly everyone can get a 30-day trial for free. Some of these accounts can be extended by exception — for researchers without budget, for example — for free on an annual basis.

Be Careful What You Share

Anything that you share with a public resource is accessible to everyone — including the bad guys. Always verify that the sample you’re about to upload does not contain confidential or sensitive information. Instead of submitting the file, you can also generate the file hash and verify whether the hash is known by the sandbox. This allows you to access the analysis details, provided the file has been analyzed before, without submitting your actual sample.

You may also want to investigate whether the sample is targeted specifically to you. Uploading it to a public sandbox makes the attacker aware of the malware detection. This consideration also applies when you submit a sample to an antivirus vendor. If the sample is detected by an antivirus solution and included in the new signature definitions, you are basically informing the attacker that the malware has been detected.

Some commercial malware sandboxes offer on-site alternatives to cloud solutions or a combination of on-site installation with private cloud support.

Extract and Apply Useful Information

Once a sample has been fully analyzed, you should integrate the IoCs into your security protection solutions. You can extract IoCs manually from the reports or automate the process. Automation can be accomplished by connecting a threat intelligence platform with your security devices.

Automating threat intelligence allows you defend your networks against emerging threats. Ideally, you would connect your threat intelligence platform to sharing groups, from which you can receive indicator feeds. Be aware, however, that you should verify the quality of the indicators. False positives could cost you valuable time looking for needles in haystacks.

You can include network indicators in your firewalls, domain name server (DNS) and proxy servers. Similarly, you can use the file indicators with your endpoint security solutions. Don’t merely block because of a match — always log the requests and alerts related to the indicator. New sightings can reveal new assets impacted by the malware.

Share the findings of your analysis with the community. By sharing your indicators via a threat intelligence platform, you can inform your peers of new threats. Similar as to sharing samples with public sandboxes, be aware that this could also inform the attackers. Tag the information with a distribution label such as the Traffic Light Protocol (TLP).

Putting It Into Practice

Practice makes perfect. Use the malware samples that you receive in your spam folder to train employees on the submission and analysis processes. You can also use samples coming from solutions such as VirusShare. Test the submission process with different samples, take note of how long it takes before you can use the reports and apply the indicators.

A public malware sandbox is a great replacement if you do not have your own in-house malware analysis solution — provided you understand the limitations of dealing with targeted samples that potentially contain sensitive information.

Read the white paper: Evading the Malware Sandbox

More from Incident Response

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

How CIRCIA is changing crisis communication

3 min read - Read the previous article in this series, PR vs cybersecurity teams: Handling disagreements in a crisis. When the Colonial Pipeline attack happened a few years ago, widespread panic and long lines at the gas pump were the result — partly due to a lack of reliable information. The attack raised the alarm about serious threats to critical infrastructure and what could happen in the aftermath. In response to this and other high-profile cyberattacks, Congress passed the Cyber Incident Reporting for Critical…

PR vs cybersecurity teams: Handling disagreements in a crisis

4 min read - Check out our first two articles in this series, Cybersecurity crisis communication: What to do and Crisis communication: What NOT to do. When a cyber incident happens inside an organization, everyone in the company has a stake in how to approach remediation. The problem is that not everyone agrees on how to handle the public response to cyber crisis communication. Typically, in any organization, the public relations team handles the relationship between the company and the media, who then decide…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today