ANUBIS - ANalyzing Unknown BInarieS - the automatic way
Thomas Mandl Secure Business Austria/IKARUS Security Software
Florian Nentwich IKARUS Security Software
Ulrich Bayer Vienna University of Technology/Institute Eurecom
Engin Kirda Vienna University of Technology/Institute Eurecom
download slides (PDF)
The increasingly huge number of new malware samples challenges every analysis team, regardless of whether they are part
of the AV community or an incident response team. An in-depth analysis performed by human experts may take several days and
uses valuable human resources.
To cope with time pressure during a manual malware analysis, ANUBIS has been developed. It is capable of automatically
analysing the behaviour of Microsoft Windows executables, with special focus on malware analysis. Executables are
run in a sandboxed environment and the security-relevant actions are monitored. Due to its intelligent reports, ANUBIS
supports the malware analyst to quickly identify the real behaviour of a malicious executable. A public version of ANUBIS
is available at: https://anubis.iseclab.org/.
ANUBIS uses techniques to emulate an Intel-based computer architecture, providing a 'detailed, non-intrusive
external view' to allow the monitoring of all actions within this sandbox. Reports include (among others): file, registry,
process and network activities, a risk analysis and a threat summary. The automatic analysis is completed within minutes
and this enables an expert to quickly categorize the malware sample (e.g. bot, trojan, file infector, Internet worm) and
to analyse the captured network traffic.
On top of that, a tool like ANUBIS also has an impact on the malware scene and we have already seen numerous efforts to
detect and evade the ANUBIS sandbox. The malware scene's response to ANUBIS, some interesting evasion techniques and our
countermeasures will also be discussed.
Quick Links
When do you install software updates?
Leave a commentView 12 comments

- virusbtn: RT @emailsecmatters: The typical spam message has sources as diverse as the spam lunch meat: http://ht.ly/2yucd
2 hours ago
- virusbtn: Can anyone write a rap about our RAP tests (http://bit.ly/255ySQ) and submit it to the Symantec competition http://bit.ly/bOJg8r
6 hours ago


With another epic haul of 54 products to test this month, the VB test team could
have done without the bad behaviour of a number of products: terrible product
design, lack of accountability for activities, blatant false alarms in major
software, numerous problems detecting the WildList set, and some horrendous
instability under pressure. Happily, there were also some good performances to
balance things out. John Hawes has the details.
See full results.
Virus Bulletin currently has 208,224
registered users.