Thomas Mandl Secure Business Austria/IKARUS Security Software
Florian Nentwich IKARUS Security Software
Ulrich Bayer Vienna University of Technology/Institute Eurecom
Engin Kirda Vienna University of Technology/Institute Eurecom
download slides (PDF)
The increasingly huge number of new malware samples challenges every analysis team, regardless of whether they are part of the AV community or an incident response team. An in-depth analysis performed by human experts may take several days and uses valuable human resources.
To cope with time pressure during a manual malware analysis, ANUBIS has been developed. It is capable of automatically analysing the behaviour of Microsoft Windows executables, with special focus on malware analysis. Executables are run in a sandboxed environment and the security-relevant actions are monitored. Due to its intelligent reports, ANUBIS supports the malware analyst to quickly identify the real behaviour of a malicious executable. A public version of ANUBIS is available at: https://anubis.iseclab.org/.
ANUBIS uses techniques to emulate an Intel-based computer architecture, providing a 'detailed, non-intrusive external view' to allow the monitoring of all actions within this sandbox. Reports include (among others): file, registry, process and network activities, a risk analysis and a threat summary. The automatic analysis is completed within minutes and this enables an expert to quickly categorize the malware sample (e.g. bot, trojan, file infector, Internet worm) and to analyse the captured network traffic.
On top of that, a tool like ANUBIS also has an impact on the malware scene and we have already seen numerous efforts to detect and evade the ANUBIS sandbox. The malware scene's response to ANUBIS, some interesting evasion techniques and our countermeasures will also be discussed.