Reading though the news some days ago I found an interesting white paper related to malware intelligence and public sandboxes in internet such as Virustotal, Malwr, Threat track and some others.
In the past, I wondered if someone in these organizations was looking at millions of submissions that happen every day, with the aim to fight back new malware developments and extract intelligence. Well, my question has been clearly answered in this paper.
It is not a secret that advanced and not so advanced attackers are using public and non public sandboxing technologies to make an early reconnaissance of the protection technologies they may find along their attack path.
The white paper is very easy to read and the main conclusions are the following,
- Even very sophisticated malware used in targeted attacks are often submitted to public sandboxes months before the real attacks are discovered
- Many of these samples went unnoticed in the past
- There is a need for an early warning system to report suspicious samples
- These could save targeted companies months of damage
“This confirms that what we have found is not an isolated case but a widespread phenomenon that also affects other online analysis systems. Second, now that the interaction between malware developers and public sandboxes is not a secret anymore, there is no reason that prevents us from publishing our findings as well”.
My next question is, are we going to get these sort of insight from our favourite open source sandboxes? As investigators we do not only need to understand if these files are malign or not but also the likelihood of that file being part of a new malware development.
This will force attackers to set up their own sandboxing infrastructure and therefore we will be rising the cost for the attacker to launch his attack. This way attackers which are not well funded are left behind, at least in the first round.
This is a fantastic piece of work by Mariano Graziano and his team, presented in the USENIX. The white paper is called:
Needles in a Haystack: Mining Information from Public Dynamic Analysis Sandboxes for Malware Intelligence.
You can find more about it here: