ANUBIS - ANalyzing Unknown BInarieS - the automatic way
Thomas Mandl Secure Business Austria/IKARUS Security Software
Florian Nentwich IKARUS Security Software
Ulrich Bayer Vienna University of Technology/Institute Eurecom
Engin Kirda Vienna University of Technology/Institute Eurecom
download slides (PDF)
The increasingly huge number of new malware samples challenges every analysis team, regardless of whether they are part
of the AV community or an incident response team. An in-depth analysis performed by human experts may take several days and
uses valuable human resources.
To cope with time pressure during a manual malware analysis, ANUBIS has been developed. It is capable of automatically
analysing the behaviour of Microsoft Windows executables, with special focus on malware analysis. Executables are
run in a sandboxed environment and the security-relevant actions are monitored. Due to its intelligent reports, ANUBIS
supports the malware analyst to quickly identify the real behaviour of a malicious executable. A public version of ANUBIS
is available at: https://anubis.iseclab.org/.
ANUBIS uses techniques to emulate an Intel-based computer architecture, providing a 'detailed, non-intrusive
external view' to allow the monitoring of all actions within this sandbox. Reports include (among others): file, registry,
process and network activities, a risk analysis and a threat summary. The automatic analysis is completed within minutes
and this enables an expert to quickly categorize the malware sample (e.g. bot, trojan, file infector, Internet worm) and
to analyse the captured network traffic.
On top of that, a tool like ANUBIS also has an impact on the malware scene and we have already seen numerous efforts to
detect and evade the ANUBIS sandbox. The malware scene's response to ANUBIS, some interesting evasion techniques and our
countermeasures will also be discussed.
This month VB's test team put 26 products to the test on
Windows Server 2008. John Hawes has the full results.