The continuous advancement and sophistication of cyberthreats has gradually decreased the sufficiency of traditional gateway and endpoint security solutions for protection against malware. These approaches were sufficient when malware occurred in small numbers and it was easy to differentiate between good and bad applications. Nowadays, there’s a world of unknown code — a gap between known good and known bad code that can pose a serious risk to your environment.
How do you determine whether unknown code is good or bad? You let it run in a malware analysis sandbox — a safe environment that closely resembles your real infrastructure — and observe its behavior. This allows you to learn how the malware would affect your systems and extract information about the detailed behavior of the code. In the case of malicious code, this information is called indicators of compromise (IoCs). These indicators can later be used to update your existing security solutions or detect infections that already took place.
Read the white paper: Evading the Malware Sandbox
Comparing Four Traditional Public Malware Analysis Sandboxes
In 2015, we compared four free online malware analysis sandbox solutions: VirusTotal, Anubis, VxStream and Malwr. Over the last two years, these solutions have evolved along with the threat landscape. Anubis is no longer available as a free product. That leaves three public solutions, each with its own approach:
- VirusTotal rates detection by different antivirus engines.
- VxStream reports on malware behavior, including screen shots and YARA rule matching.
- Malwr is Cuckoo with the capability to report on malware behavior, including screen shots.
Let’s take a closer look at these three solutions.
VirusTotal is a popular solution in the security community for file analysis and remains available as a free service. VirusTotal reports include the detection results of the malware by different antivirus engines and community-generated feedback to enrich the analysis details. This solution allows you to analyze both individual files and websites.
Over the last two years, the number of scanners included with VirusTotal has increased to support scanning of firmware malware. The solution is now also capable of handling Mac OS X apps in addition to Windows and Android.
VirusTotal offers both free and paid access. The paid solution allows you to:
- Submit requests at a higher rate.
- Extract more behavioral execution information.
- Retrieve additional metadata information from submission.
- Receive YARA notifications on the samples collected by VirusTotal.
VxStream by Payload Security takes a slightly different approach than VirusTotal. VxStream displays the results of the malware analysis in detail, including screen shots and extracted strings from the submitted file. Compared to VirusTotal, the analysis of VxStream is more in-depth and closer to what you would expect from a malware analysis tool you would run in your own lab. The solution also provides URL-based analysis, but only if the URL contains a file.
VxStream now also includes support for:
- Windows XP, Vista, Windows 7/8 and 10, and Android APK files;
- Additional import formats, including MIME RFC 822 (*.eml) and Outlook *.msg files;
- Additional export formats, including MAEC 4.1, OpenIOC 1.1 and STIX;
- MISP reports, both in XML and JSON; and
- Integration with VirusTotal and OPSWAT Metadefender.
The free version of VxStream allows you to download the samples and packet capture (PCAP) files. Reports include screen shots of the malware behavior. Note that the free version will not display all malicious and suspicious indicators. Similar to VirusTotal, VxStream also has a paid version with support for:
- URL analysis;
- Information on all malicious and suspicious indicators found;
- Submitting requests at a higher rate;
- Full privacy for your reports; and
Malwr is based on a Cuckoo malware sandbox analysis. In fact, the site is maintained by the core developers of Cuckoo. The benefit of the service is that you do not have to bother setting up Cuckoo yourself and can let Malwr do the heavy lifting. The solutions uses the new Cuckoo Sandbox 2.0.
Malwr only allows you to analyze files — it is not possible to submit URLs. Reports from Malwr include screen shots, offering visual information on the malware behavior. Some reports also include community comments. Analyses from Malwr can be visualized at MalwareViz.
Besides the three malware sandbox solutions listed previously, what other options are available? Let’s review some of the most popular alternatives.
An oft-forgotten option is to send the malware sample to your antivirus vendor. Unfortunately, not all vendors provide detailed technical reports on the behavior of the malware. The analysis is essentially limited to checking whether an antivirus engine detects a specific sample. VirusTotal also provides this capability.
Some upload centers include:
- McAfee for submitting viruses or malware samples;
- F-Secure for submitting samples;
- Bitdefender for submitting samples or URLs;
- Trend Micro for submitting suspicious or undetected viruses for file analysis; and
- Kaspersky Virus Desk.
Most public malware sandboxes focus on Windows binaries and, in some cases, Android files. Detux, by the Indian Honeynet Project, is a Linux sandbox with support for x86, x86-64, ARM, MIPS and MIPSEL central processing unit (CPU) architectures.
Valkyrie is a file verdict system by Comodo that analyzes the entire runtime behavior of a file. The web interface is intuitive and rich with features. Unfortunately, the detection rate of submitted samples was fairly low — the solution rated the samples as “No Threat found.” Valkyrie includes a free service and a paid service with more support options.
Commercial Malware Sandboxes
A fourth alternative is using a malware sandbox that is not available for free, although commercially available malware solutions are sometimes heavily priced. An alternative is VMRay, a malware analyzer that you can use during incident response. VMRay is invisible to malware. It is embedded in the hypervisor and analyzes malware behavior from that vantage point. As a result, threats execute as they would in the wild.
This analysis provides a full function log, which allows you to understand the execution steps of the malware. You can use a web interface to log into the sandbox environment where the malware is executing, possibly simulating the behavior of a normal user.
VMRay is not available for free, but nearly everyone can get a 30-day trial for free. Some of these accounts can be extended by exception — for researchers without budget, for example — for free on an annual basis.
Be Careful What You Share
Anything that you share with a public resource is accessible to everyone — including the bad guys. Always verify that the sample you’re about to upload does not contain confidential or sensitive information. Instead of submitting the file, you can also generate the file hash and verify whether the hash is known by the sandbox. This allows you to access the analysis details, provided the file has been analyzed before, without submitting your actual sample.
You may also want to investigate whether the sample is targeted specifically to you. Uploading it to a public sandbox makes the attacker aware of the malware detection. This consideration also applies when you submit a sample to an antivirus vendor. If the sample is detected by an antivirus solution and included in the new signature definitions, you are basically informing the attacker that the malware has been detected.
Some commercial malware sandboxes offer on-site alternatives to cloud solutions or a combination of on-site installation with private cloud support.
Extract and Apply Useful Information
Once a sample has been fully analyzed, you should integrate the IoCs into your security protection solutions. You can extract IoCs manually from the reports or automate the process. Automation can be accomplished by connecting a threat intelligence platform with your security devices.
Automating threat intelligence allows you defend your networks against emerging threats. Ideally, you would connect your threat intelligence platform to sharing groups, from which you can receive indicator feeds. Be aware, however, that you should verify the quality of the indicators. False positives could cost you valuable time looking for needles in haystacks.
You can include network indicators in your firewalls, domain name server (DNS) and proxy servers. Similarly, you can use the file indicators with your endpoint security solutions. Don’t merely block because of a match — always log the requests and alerts related to the indicator. New sightings can reveal new assets impacted by the malware.
Share the findings of your analysis with the community. By sharing your indicators via a threat intelligence platform, you can inform your peers of new threats. Similar as to sharing samples with public sandboxes, be aware that this could also inform the attackers. Tag the information with a distribution label such as the Traffic Light Protocol (TLP).
Putting It Into Practice
Practice makes perfect. Use the malware samples that you receive in your spam folder to train employees on the submission and analysis processes. You can also use samples coming from solutions such as VirusShare. Test the submission process with different samples, take note of how long it takes before you can use the reports and apply the indicators.
A public malware sandbox is a great replacement if you do not have your own in-house malware analysis solution — provided you understand the limitations of dealing with targeted samples that potentially contain sensitive information.
Read the white paper: Evading the Malware Sandbox
Koen Van Impe is a security analyst who worked at the Belgian national
CSIRT and is now an independent security researcher.
He has a twitter feed (@cudes...