Automated Malware Analysis in the Cloud: An Introduction
Cybercriminals execute malware attacks using different attack vectors and using different methods. The number of malware strains is increasing in an unprecedented manner and hence malware analysis today is not an easy job. In the present context, automated malware analysis is a necessity. Let’s discuss today the different aspects of automated malware analysis in the cloud.
Though there are millions of malware samples being distributed around the world today, only a few are new ones. Majority of the malware that we find are simple derivations of existing known malware. New malware samples could prove too complex for analysis using cloud automated malware services. By detecting a sandbox, debugger or a virtual environment, any new, complex malware could detect automated malware analysis environment and then could execute wild programs.
Well, let’s come back to automated malware analysis in the cloud. There are many automated malware analysis services available on the internet, some of which are free. There are malware analysis tools provided by Comodo, Malwr, Anubis, Hybrid Analysis, Threat Expert, Threat Track etc. A notable thing is that despite such services automating malware analysis to a great extent, the analyst needs to have a deep understanding regarding what he is doing and what he is looking for. This would help him understand the output that’s provided by the malware analysis service.
Let’s now discuss the analysis process.
We should begin by attempting to determine if the binary sample is malicious. This can be done by using VirusTotal. To be noted is the fact that if the binary sample is quite new, there are chances that it might not get detected as malicious even if it is malicious, especially if antivirus companies haven’t updated their signatures yet. Well, if the sample is detected as malicious, we’ll get a list of the antivirus solutions that have detected it as malicious, plus the name of the malware and details regarding the time when the signature was updated last. We should next try to get more information about the analyzed malicious file, especially as too what it does.
Cloud automated malware analysis solutions can help gain information about the binary sample that has been detected as malicious. An analysis of the malware on the tool could yield a detailed report (mostly in HTML, PDF, XML etc); this report might have lots of details including details about the DLLs used by the malware sample, summary of files and directories accessed by the binary sample, list of all strings in a binary, details regarding whether it connects back to the C&C server to fetch and execute commands, data pertaining to whether the binary sample modifies certain registry keys to achieve persistence on the infected system etc.
Thus, by going for automated malware analysis, we can detect malware and gain sufficient information about malicious files, which would help us combat them in better and more effective ways.
At the same time, let’s remember that there are instances when the results yielded by such an analysis would turn out to be false positives. This lack of 100 percent accuracy thus makes manual analysis also inevitable. Anyhow, researchers are striving to develop better automated malware analysis tools with improved features that could help solve such issues, at least to a great extent.