Needles in a Haystack: Mining Information from Public Dynamic Analysis Sandboxes for Malware Intelligence Mariano Graziano Davide Canali Leyla Bilge Eurecom Eurecom Symantec Research Labs Andrea Lanzi Davide Balzarotti Universita’ degli Studi di Milano Eurecom Abstract The main advantage of these systems is the fact that the analysis is completely automated and easily paral- Malware sandboxes are automated dynamic analysis lelizable, thus providing a way to cope with the over- systems that execute programs in a controlled environ- whelming number of new samples that are collected ev- ment. Within the large volumes of samples submitted ery day. However, due to this extreme parallelization, every day to these services, some submissions appear to an incredible amount of reports are generated every day. be different from others, and show interesting character- This makes the task of distinguishing new and important istics. For example, we observed that malware samples malware from the background noise of polymorphic and involved in famous targeted attacks – like the Regin APT uninteresting samples very challenging. framework or the recently disclosed malwares from the Equation Group – were submitted to our sandbox months In particular, two important and distinct observations or even years before they were detected in the wild. In motivate our work. First, it is relatively common that other cases, the malware developers themselves interact malware samples used to carry out famous targeted at- with public sandboxes to test their creations or to develop tacks were collected by antivirus companies or public a new evasion technique. We refer to similar cases as sandboxes long before the attacks were publicly dis- malware developments. covered [25]. For instance, the binaries responsible for operation Aurora, Red October, Regin, and even some In this paper, we propose a novel methodology to au- of the new one part of the Equation Group were sub- tomatically identify malware development cases from the mitted to the sandbox we used in our experiments sev- samples submitted to a malware analysis sandbox. The eral months before the respective attacks appeared in the results of our experiments show that, by combining dy- news [11, 40, 17, 50, 45, 35]. The reasons behind this namic and static analysis with features based on the file phenomenon are not always clear. It is possible that the submission, it is possible to achieve a good accuracy in files were automatically collected as part of an automated automatically identifying cases of malware development. network or host-based protection system. Or maybe a Our goal is to raise awareness on this problem and on the security analyst noticed something anomalous on a com- importance of looking at these samples from an intelli- puter and wanted to double-check if a suspicious file ex- gence and threat prevention point of view. hibited a potentially malicious behavior. It is even pos- sible that the malware developers themselves submitted 1 Introduction an early copy of their work to verify whether it triggered any alert on the sandbox system. Whatever the reason, Malware sandboxes are automated dynamic analysis the important point is that no one paid attention to those tools that execute samples in an isolated and instru- files until it was too late. mented environment. Security researchers use them to The second observation motivating our study is the quickly collect information about the behavior of suspi- constant arm race between the researchers that put con- cious samples, typically in terms of their execution traces tinuous effort to randomize their analysis environments, and API calls. While customized sandboxes are often and the criminals that try to fingerprint those systems installed in the premises of security companies, some to avoid being detected. As a consequence of this hid- sandboxes are available as public online services, as it is den battle, malware and packers often include evasion the case for Malwr [13], Anubis [10], ThreatExpert [14], techniques for popular sandboxes [19] and updated in- VirusTotal [16], and many others [5, 18,4,6, 15,1,3] formation about the internal sandbox details are regu- 1 larly posted on public websites [2]. These examples to make sure that a certain evasion technique works as prove that there must be a constant interaction between expected in the sandbox environment, or that a certain malware developers and popular public malware analysis malware prototype does not raise any alarm. services. This interaction is driven by the need to collect In this paper, we focus on the detection of what we call updated information as well as to make sure that new malware development. We use the term “development” malware creation would go undetected. Even though de- in a broad sense, to include anything that is submitted by tecting this interaction might be very difficult, we be- the author of the file itself. In many cases the author has lieve it would provide valuable information for malware access to the source code of the program – either because triage. she wrote it herself or because she acquired it from some- Up to the present, malware analysis services have col- one else. However, this is not always the case, e.g., when lected large volumes of data. This data has been used the author of a sample uses a builder tool to automatically both to enhance analysis techniques [23, 46] and to ex- generate a binary according to a number of optional con- trapolate trends and statistics about the evolution of mal- figurations (see Section6 for a practical example of this ware families [24]. Unfortunately, to the best of our scenario). Moreover, to keep things simple, we also use knowledge, these datasets have never been used to sys- the word “malware” as a generic term to model any sus- tematically study malware development and support mal- picious program. This definition includes traditional ma- ware intelligence on a large scale. The only public excep- licious samples, but also attack tools, packers, and small tion is a research recently conducted by looking at Virus- probes written with the only goal of exfiltrating informa- Total to track the activity of specific high-profile hacking tion about the sandbox internals. groups involved in APT campaigns [52, 27]. Our main goal is to automatically detect suspicious In this paper, we approach this objective by applying submissions that are likely related to malware develop- data-mining and machine learning techniques to study ment or to a misuse of the public sandbox. We also want the data collected by Anubis Sandbox [10], a popular to use the collected information for malware intelligence. malware dynamic analysis service. At the time we per- In this context, intelligence means a process, supported formed our analysis, the dataset contained the analysis by data analysis, that helps an analyst to infer the moti- reports for over 30 millions unique samples. Our main vation, intent, and possibly the identity of the attacker. goal is to automatically detect if miscreants submit their Our analysis consists of five different phases. In the samples during the malware development phase and, if first phase, we filter out the samples that are not inter- this is the case, to acquire more insights about the dy- esting for our analysis. Since the rest of the analysis is namics of malware development. By analyzing the meta- quite time-consuming, any sample that cannot be related data associated to the sample submissions, it might be to malware development or that we cannot process with possible to determine the software provenance and im- our current prototype is discarded at this phase. In the plement an early-warning system to flag suspicious sub- second phase, we cluster the remaining samples based mission behaviors. on their binary similarity. Samples in each cluster are It is important to understand that our objective is not then compared using a more fine-grained static analysis to develop a full-fledged system, but instead to explore a technique. Afterwards, we collect six sets of features, new direction and to show that by combining metadata based respectively on static characteristics of the submit- with static and dynamic features it is possible to suc- ted files, on the results of the dynamic execution of the cessfully detect many examples of malware development samples in the cluster, and on the metadata associated to submitted to public sandboxes. In fact, our simple pro- the samples submissions. This features are finally pro- totype was able to automatically identify thousands of vided to a classifier that we previously trained to identify development cases, including botnets, keyloggers, back- the malware development clusters. doors, and over a thousand unique trojan applications. 3 Data reduction 2 Overview and Terminology The first phase of our study has the objective of reducing There are several reasons why criminals may want to in- the amount of data by filtering out all the samples that teract with an online malware sandbox. It could be just are not relevant for our analysis. We assume that a cer- for curiosity, in order to better understand the analysis tain file could be a candidate for malware development environment and estimate its capabilities. Another rea- only if two conditions are met. First, the sample must son could be to try to escape from the sandbox isolation have been submitted to the public sandbox before it was to perform some malicious activity, such as scanning a observed in the wild. Second, it has to be part of a man- network or attacking another machine. Finally, criminals ual submission done by an individual user – and not, for may also want to submit samples for testing purposes, example, originating from a batch submission of a secu- 2 rity company or from an automated malware collection Dataset Submissions or protection system.