ANUBIS - ANalyzing Unknown BInarieS - the automatic way

Thomas Mandl Secure Business Austria/IKARUS Security Software
Florian Nentwich IKARUS Security Software
Ulrich Bayer Vienna University of Technology/Institute Eurecom
Engin Kirda Vienna University of Technology/Institute Eurecom

download slides (PDF)

The increasingly huge number of new malware samples challenges every analysis team, regardless of whether they are part of the AV community or an incident response team. An in-depth analysis performed by human experts may take several days and uses valuable human resources.

To cope with time pressure during a manual malware analysis, ANUBIS has been developed. It is capable of automatically analysing the behaviour of Microsoft Windows executables, with special focus on malware analysis. Executables are run in a sandboxed environment and the security-relevant actions are monitored. Due to its intelligent reports, ANUBIS supports the malware analyst to quickly identify the real behaviour of a malicious executable. A public version of ANUBIS is available at: https://anubis.iseclab.org/.

ANUBIS uses techniques to emulate an Intel-based computer architecture, providing a 'detailed, non-intrusive external view' to allow the monitoring of all actions within this sandbox. Reports include (among others): file, registry, process and network activities, a risk analysis and a threat summary. The automatic analysis is completed within minutes and this enables an expert to quickly categorize the malware sample (e.g. bot, trojan, file infector, Internet worm) and to analyse the captured network traffic.

On top of that, a tool like ANUBIS also has an impact on the malware scene and we have already seen numerous efforts to detect and evade the ANUBIS sandbox. The malware scene's response to ANUBIS, some interesting evasion techniques and our countermeasures will also be discussed.

VB Conferences

VB2011 (Barcelona)

VB2010 (Vancouver)

VB2009 (Geneva)

VB2008 (Ottawa)

VB2007 (Vienna)

VB2006 (Montréal)

VB2005 (Dublin)

VB2004 (Chicago)

VB2003 (Toronto)

VB2002 (New Orleans)

VB2001 (Prague)

VB2000 (Orlando)

VB99 (Vancouver)

VB98 (Munich)

VB97 (San Francisco)

VB96 (Brighton)

VB95 (Boston)

VB94 (Jersey)

VB93 (Amsterdam)

VB92 (Edinburgh)

VB91 (Jersey)

‘In terms of networking, this conference has been superb.’

Quick Links

Poll

When do you install software updates?
Leave a comment
View 12 comments

virusbtn: RT @emailsecmatters: The typical spam message has sources as diverse as the spam lunch meat: http://ht.ly/2yucd
2 hours ago

virusbtn: Can anyone write a rap about our RAP tests (http://bit.ly/255ySQ) and submit it to the Symantec competition http://bit.ly/bOJg8r
6 hours ago

VB100 certification

With another epic haul of 54 products to test this month, the VB test team could have done without the bad behaviour of a number of products: terrible product design, lack of accountability for activities, blatant false alarms in major software, numerous problems detecting the WildList set, and some horrendous instability under pressure. Happily, there were also some good performances to balance things out. John Hawes has the details.
See full results.

Virus Bulletin currently has 208,224 registered users.

Fighting malware and spam