Lead Image © Rostislav Zatonskiy, 123RF.com

Malware analysis in the sandbox

Under the Microscope

Article from ADMIN 45/2018

By Matthias Wübbeling

In malware analysis, a sandbox can provide insight into the software and its run-time environment. While a sandbox can prevent the execution of malicious code with built-in detection mechanisms, malware developers can use countermeasures to take advantage of those same detection mechanisms.

Over a year ago, the WannaCry malware infected almost a quarter of a million Windows computers around the world, encrypting data and demanding a ransom within a very short time. Due to an already closed vulnerability in Microsoft's SMB protocol, the worm was able to spread in no time at all – of course, only on computers that had not yet installed an update, which had been available since March 2017. The victims of the blackmail Trojan include some well-known corporations.

WannaCry's success was therefore largely due to sluggish update strategies. Despite all security updates, the WannaCry's further spread was accidentally stopped by the malware's own protection mechanism ("kill switch"). A young English security researcher discovered this kill switch during malware analysis. Before considering the role of the sandbox with WannaCry, I first need to differentiate between the two possibilities for analyzing malware: static and dynamic analysis.

Static Analysis

In static analysis, the file with the malicious code is not executed; instead it is opened and analyzed in a disassembler. IDA by Belgium's Hex-Rays [1] is one well-known disassembler. After opening, IDA first analyzes the binary file and prepares the information it contains. Figure 1 shows the control flow graph of a gzip function. IDA displays the CPU instructions of the individual blocks in the assembler, allowing the analyst to follow the program flow.

...

Use Express-Checkout link below to read the full article (PDF).