ANUBIS - ANalyzing Unknown BInarieS - the automatic way

Thomas Mandl Secure Business Austria/IKARUS Security Software
Florian Nentwich IKARUS Security Software
Ulrich Bayer Vienna University of Technology/Institute Eurecom
Engin Kirda Vienna University of Technology/Institute Eurecom

  download slides (PDF)

The increasingly huge number of new malware samples challenges every analysis team, regardless of whether they are part of the AV community or an incident response team. An in-depth analysis performed by human experts may take several days and uses valuable human resources.

To cope with time pressure during a manual malware analysis, ANUBIS has been developed. It is capable of automatically analysing the behaviour of Microsoft Windows executables, with special focus on malware analysis. Executables are run in a sandboxed environment and the security-relevant actions are monitored. Due to its intelligent reports, ANUBIS supports the malware analyst to quickly identify the real behaviour of a malicious executable. A public version of ANUBIS is available at: https://anubis.iseclab.org/.

ANUBIS uses techniques to emulate an Intel-based computer architecture, providing a 'detailed, non-intrusive external view' to allow the monitoring of all actions within this sandbox. Reports include (among others): file, registry, process and network activities, a risk analysis and a threat summary. The automatic analysis is completed within minutes and this enables an expert to quickly categorize the malware sample (e.g. bot, trojan, file infector, Internet worm) and to analyse the captured network traffic.

On top of that, a tool like ANUBIS also has an impact on the malware scene and we have already seen numerous efforts to detect and evade the ANUBIS sandbox. The malware scene's response to ANUBIS, some interesting evasion techniques and our countermeasures will also be discussed.


Poll

Do you use the same password(s) across multiple websites?
I use the same password for all sites
I have a number of passwords but use the same for some sites
I use a different password for each site
I don't sign up to any sites that require a password

Leave a comment
View 4 comments

Jobs Career Sidebar

VB100 certification

VB100 This month VB's test team put 26 products to the test on Windows Server 2008. John Hawes has the full results.
See full results.

Virus Bulletin currently has 190,873 registered users.