Interactive analysis is becoming more popular every day. It can be used both for the analysis of regular samples and is also not replaceable if you come across unique malware samples. Let’s explore what interactive analysis is, and what are the main benefits.
But before we dive into the nuances of interactive analysis we need to understand what malware analysis is in general.
What is malware analysis?
Malware analysis is quite simply a process of studying a potential malware sample. During the study, a researcher’s goal is to understand the type, functions, code, and potential dangers of a malicious program.
Analysis can be performed for various reasons such as education or even as a hobby, but the most common goal is to study a malware sample to gain an understanding of how it works and to use this knowledge in developing countermeasures.
Why do we need malware analysis?
Imagine that a corporate computer gets infected by a new type of malware. For example, new ransomware. If the infection spreads to other PCs the attack may cost tremendous money or result in the loss of important information.
The goal of security researchers is to study the infiltrating malware and figure out what kind of mayhem it may cause. Which destructive functions the malware has. And how to prevent damage or repel subsequent attacks from the same malware family, should any occur in the future.
The main things to figure out during the analysis are:
- What the malware can do.
- How to detect it in the network.
- How to carry out damage control and minimize the attack consequences.
Malware research also helps security professionals develop local and network signatures. Local signatures are like signs that point to files created or changed by a malicious program. They help find and identify malware on infected machines.
Network signatures on the other hand focus on identifying incoming and outgoing network requests, generated by the malware. For example, malware will often establish a connection with a control server to send over stolen data. These transmissions can give malicious programs away.
Types of malware analysis
Malware analysis is generally divided into two stages — static and dynamic. Static analysis is the first thing researchers will do to determine if a program is malicious and to learn about its functions. In some cases, static analysis is all you need.
However, if observing the code, strings, and headers in static form is not enough, researchers will start dynamic analysis to gain more insights about the behavior and capability of a malicious program. Dynamic analysis is more complicated and traditionally requires a lot more time to complete.
Static analysis is essentially just looking at the malware code with your bare eyes. It can tell important information and help create static signatures. For example, one technique that researchers use during static analysis is looking at strings. Strings often contain IPs and URLs and can point at the location of a control server for a particular malware sample.
However, while static analysis is very useful, it has limitations. Malware authors are developing more and more sophisticated programs and often create code that is designed to mislead researchers or conceal functions. This type of coding is called obfuscation and you will often see it in more advanced malware types.
For dynamic malware analysis, researchers launch malware samples in control environments and study the processes that they create. Process Monitor and Process Explorer are two applications very often used to observe malware behavior during dynamic analysis.
If you are going to perform dynamic analysis, it is crucial to establish a secure environment where the virus can’t cause any damage to the machine. Usually, this means deploying a virtual machine and using some sort of VM software.
Or, an even better idea is to use ANY.RUN. Our service is designed specifically for dynamic malware analysis but also supports static analysis.
Actually, ANY.RUN takes it one step further by allowing for interactive dynamic malware analysis.
What is interactive malware analysis?
Interactive analysis is an advanced form of dynamic analysis. Researchers can control the process, influence the simulation in real-time, make changes right after getting the updates from the sample. Simulation of actions is as realistic as possible — researchers can interact with pop-ups or change OS configuration on the fly.
Benefits of interactive malware analysis
Interactive analysis has several other advantages:
- It allows interacting with a malware sample directly.
- It allows running several interdependent parts of the malware in one task to increase analysis quality.
- It allows for acquiring data faster.
- It reduces the required specification of the researcher.
- It enables researchers to change operating system configuration based on malware behavior and re-run tasks much faster.
Furthermore, there are situations where other analysis types just aren’t sufficient. At least, unless the researcher is extremely experienced and even then other analysis types would take way to long in comparison.
For instance, some malware samples will only execute if certain conditions are met.
One example are banking Trojans that may activate if a user visits a particular online banking website. Only then will the trojan try to steal and send information to the Command & Control server. Therefore, thanks to interactivity, analysts can collect more IOCs.
Additionally, some malware have kill switches in a form of files with specific names or registry keys. Analysts can try to include them in a virtual machine during analysis or check the language of the malicious document during analysis, change the system locale, and re-run tasks. This will allow the malware to work in full and give more IOCs.
Fully automated analysis programs may not know all execution scenarios. So they miss important steps and don’t paint the whole picture. Additionally, some samples within a malware family may have a unique execution process. Launching a separate automated analysis because of a single unique sample may not be viable. It’s just too much work, time, and money.
Interactive analysis, on the other hand, allows testing multiple execution variants by, well, interacting with the execution process. This enables to get data fast. And does not require a lot of experience from the researchers since the process is intuitive.
ANY.RUN at the moment is the only service that provides interactive malware analysis. We would like to tell you how we came to this.
Being engaged in cybersecurity ourselves, we know that most existing analysis tools on the market are, frankly, not that user friendly. Not only do they require lots of knowledge, but they also lack the ability to present data in an easily readable form.
There are automated analysis tools, of course. But those can already be fooled by some malware samples and threat actors will implement new ways to throw off automated solutions.
We wanted to create a service that would simplify the analysis process through the use of a custom UI and take the best from automated sandboxes while allowing to retain an element of human supervision and interactivity.
And that is exactly what we did.
As a result, ANY.RUN effectively replaces and extends traditional analysis tools and builds a process that is centered around convenient process observation. As an online tool, it reduces equipment costs, while a graphical user interface makes malware analysis more accessible.
We are proud to say that today our service is used by over 150,000 researchers and trusted by industry giants such as IBM, Hewlett Packard, Canon, and many others.
Malware is becoming more and more sophisticated and, unfortunately, brand new samples are regularly introduced into the wild. Online security and solid defense against cyber threats are more important today than it ever was.
ANY.RUN is a unique service that makes malware analysis more accessible, fast, and safe. And on top of that, all our tools are available for free, so give ANY.RUN a try!