Friday, August 1, 2014

Preview On VxStream Sandbox Automated Malware Analysis System

Last month we published an article "Hybrid Analysis - NextGen Technology for Advanced Malware Payload Detection" that outlined our StaticStream core engine and also appeared in the July's edition of the Hakin9.org magazine. It outlined some aspects of automated malware analysis systems, specifically that the "NextGen" automated systems will require a combination of dynamic and static analysis techniques in the future, because VM detection on the malware end is growing stronger and the preset environment does not always meet the conditions to trigger the interesting payload. In other words, it is important to detect and analyze non-executed code sequences at runtime. We understand this requirement and since we have been building on some in-house tools to extract run-time data from malware decided to take things one step further and automate the process, creating a fully automated malware analysis system that we call VxStream Sandbox, to a degree borrowing its name from the "streaming architecture" of StaticStream that is a core and integral part of the overall system. In this blogpost, we will outline some of the features the new system has and give a brief overview.

Description         
In-depth analysis of 32-bit executables on all compatible Windows Operating Systems
High-speed algorithms that allow in-depth analysis within minutes
Flexible hooking system to monitor run-time behavior
Intelligent process monitoring that follows malware injecting into system/user processes
Implements common anti-VM detection techniques (e.g. undetectable to paranoid fish)
Hybrid Analysis integrated (combination of static and dynamic analysis)
Dormant code detection based on executed function calls
Injected memory logging for in-depth analysis (shellcode detection)
API calls with parameter values/names, register values and call stack
Full Registry access, Process Handles, Mutants, etc. monitoring
Memory snapshots to detect unpacked code during runtime
Open and configurable behavior signatures, add your own signatures
Third-party integration of e.g. YARA signatures possible
Extensive pure static analysis on sample (imphash, ssdeep, etc.)
Unique screenshot detection
Dropped/created file detection for multi-stage analysis
Network traffic filters and extraction of key data (HTTP request/contacted hosts)
Extensive XML and JSON reports for post-processing
Optional (automatic) persistence of reports into supported databases
Wide range of configuration options and logging features
As we can see, the list of features is already quite extensive, but there is always room for improvement. Since we are very convinced of (and seen already) the real-world practicability of our software system, we are going to invest more resources into taking it to the next level.

The following diagram outlines the overall system quite well (from a "birds perspective"):



As we can see, it is quite straightforward and the general data processing (with parallelization) is the conversion of an input sample to an in-depth report that is machine parsable. Of course, the behavior signatures that are applied to the extracted run-time and static analysis data are configurable, are ever-growing by nature of malware forensics and can be shared amongst users.