Analysts use open source malware analysis tools to protect from and predict future attacks and to share knowledge among each other. It’s no secret that distributing malware is a big business and the rapidly rising malware epidemic is only going to grow in ability and efficiency in the coming years. As malware trading forums proliferate on the dark web, it has become easier than ever to obtain the crypters, botnets and zero-days needed to pull off high level attacks. And as the complexity of variants grow, the harder it becomes to understand and benchmark each one.
By using open source malware analysis tools, analysts can test, characterize and document different variants of malicious activates while learning about the attack lifecycle.
Five Open Source Malware Analysis Tools
In the developer’s own words “Cuckoo Sandbox is a malware analysis system.” Built by a team of volunteers during the Google Summer of Code project back in 2010, it’s an open source platform that automates malicious file analysis for Windows, OS X, Linux and Android and gives detailed and meaningful feedback regarding how each file presented behaves in isolated environments. And since it’s open source software, contributors are continuously writing extensions which provide enhanced functionality. Malware detection and protection companies use Cuckoo to help ease the strain of manually wading through troves of potentially malicious files. Its modular design makes it easily customizable for both reporting and processing stages. Understandably, it has become one of the most commonly used open source tools in recent years.
In 2012 Cuckoo released Malwr, their sandbox-as-a-service which allows users to use the data they have collected via an easy to use interface. Its aim was to serve as an alternative for users who don’t have the ability to deal with Cuckoo properly but still want to leverage its intelligence.
Yara is an open source malware attribution tool used to classify malware samples based on textual or binary patterns once they have been analyzed in Cuckoo. Using Yara, researchers write descriptions of malware families based on patterns. These descriptions are called rules, hence the name Yara (which stands for “Yet Another Recursive Acronym”) Rules. It allows researchers to recognize and categorize seemingly similar variants of malware malware and can be integrated to use within Cuckoo. IBM calls Yara the malware analyst’s “pattern matching swiss army knife” and can be used on both Windows and Linux machines (though on Linux machines you’ll need to build it from source code). Yara Rules has been added into our Incident Response Framework in order to assist us in identifying the malware samples we encounter, classify them and later share our finding with customers and the community.
Last month, Yara’s creators released a new service still in alpha called YaraRules Analyzer, that lets users analyze files in the cloud using full rulesets. This ensures that users are always analyzing samples against the most recent ruleset version and frees them from needing to install Yara locally.
Google Rapid Response (GRR)
An incident response framework developed by security researchers at Google, the GRR framework analyzes specific workstations for malware footprints. It consists of an agent that’s deployed on the target system and a server infrastructure to interact with the agent. Once both the server side and the agent have been deployed, they become GRR clients and can begin to receive messages from the front end servers, which makes it easy to investigate individual systems. Then the incident response team can perform various forensic tasks on the client machine, such as analyzing the memory, searching various settings and managing configuration options.
This Linux toolkit was designed as a one-stop-shop for analysts looking to reverse engineer malware samples. Based on Ubuntu, Remnux incorporates many tools into one to examine Windows and Linux based malware with ease. It helps researchers investigate browser-based malware, perform memory forensics, analyze multiple malware samples, extract and decode suspicious items and more.
Despite its odd name, Bro is a powerful network-based analysis framework that turns network traffic into events to trigger scripts. It is similar to an IDS (intrusion detection system) in that it gives users a bird’s-eye-view of their network activity, using both signature-based (looks for rules or patterns of known malicious traffic) and anomaly-based detection (looks for unusual activity) but its functions reach far beyond those of traditional IDS. It can be used to conduct forensics investigations, network monitoring and protocol analysis.
Open Source for a United, More Secure Future
The list of open source analysis tools continues to grow and mature each day. That’s critical because as long as cyber attacks keep turning a profit (regardless of whether that profit is financial or data-based), attackers will continue to perfect their methods, and businesses will continue to fall prey. Thanks to the efforts of open source tool creators, analysts can share information, intelligence and experiences and are able to actively work together, creating a more secure tomorrow.