LAS VEGAS -- A new malware analysis environment being demonstrated this week at the Black Hat 2012 Briefings could put millions of free malware samples in the hands of security researchers, aka "good guys," speeding reverse analysis of attacks and ideally providing the information security industry with a new line of defensive technologies.
That's the hope of Rodrigo Branco, director of vulnerability research at Redwood City, Calif.-based vulnerability management vendor Qualys Inc., who said his cloud-based malware analysis system already contains hundreds of thousands of samples. Researchers are testing the system, he said. Up until now the security community has been responding with new defensive capabilities based on a hunch, Branco said, not necessarily by determining the most pervasive evasion technique.
"Researchers need to give a focus on real data instead of what they feel is possible," Branco said. "The purpose of the research is to stop and look at what is really out there and then create defensive capabilities."
Once fully deployed, Branco said he expects the system to have close to 10 million malware samples in its database and dozens of built-in analysis tools to test the samples on various systems.
The system was designed, Branco said, as an open architecture, letting researchers develop and share new analysis capabilities. He said the security community has gone too long without collecting and sharing malware data.
A partnership with a group of banks based in Brazil is helping boost the early analysis being conducted by the system. The data will be unveiled during Branco's Black Hat presentation this week.
"One of the results we are going to show is comparing what we see in the world to what we're seeing specifically targeting Brazil, because we have this relationship with the banks," Branco said. "It shows that some real valuable data can be gained."
Researchers are not keeping up with the onslaught of new malware samples detected each week. Access to malware samples is provided by pay services, reducing the access of valuable data to those who can afford it, Branco said. Thousands of different malware variants need to be tested so antivirus and other security technologies can detect and mitigate a threat. Branco said malware authors are using a variety of techniques to disrupt attempts of disassembly, debugging or analyzing malware in a virtualized environment. It makes the malicious code more sustainable and results in increased infections, he said.
More from Black Hat 2012
For more news, analysis, commentary and video interviews from Las Vegas, visit SearchSecurity.com's Black Hat 2012 special coverage page.
"If you don't work for an AV company or another big company, you don't have access to a lot of [malware] samples," Branco said. "Even if you had access to the millions of samples, you wouldn't have the machine power to analyze [them], so the researchers can now get ahold of this and get back the results."
The new malware analysis system uses a variety of techniques, including static analysis to scan the malicious code. The system collects malware samples from a variety of sources, including antivirus vendors, software makers and intrusion detection and prevention vendors, Branco said. The back-end system does the processing of the analysis to create a catalogue of the various evasion techniques, which can be mined by researchers, Branco said.
Dynamic code analysis helps address attack code that is encrypted or obfuscated by the malware author. The system could give a much needed leg-up to security researchers who say it has become increasingly difficult to reverse engineer some of the latest malware because the code is so heavily protected. More than 50 different detection plug-ins will help build a database of techniques used by attackers to evade detection by security software.