| 摘要 |
Methods of analyzing malware and other suspicious files are presented, where some embodiments include analyzing the behavior of a first malware sample on both a virtual machine and a physical computing device, the physical device having been booted from a secondary boot source, and determining whether the behavior of the malware sample was different on the virtual machine and the physical computing device. In certain embodiments, a notification indicating that the behavior was different may be generated. In other embodiments, a malware analysis computing device that is configured to receive a base hard drive image may be network booted, and the behavior of the malware sample on the malware analysis computing device may be analyzed. In certain embodiments, a malware-infected hard drive image may then be copied off the malware analysis computing device. |
| 主权项 |
1. A method comprising:
initializing, by an administrative computing device, a virtual machine; installing, by the administrative computing device, a first malware sample onto the virtual machine; analyzing, by the administrative computing device, the behavior of the first malware sample on the virtual machine to identify at least one virtual machine malware action; causing, by the administrative computing device, a physical computing device to be booted from a secondary boot source different from a primary boot source, the primary boot source being a hard disk on the physical computing device, wherein the physical computing device is a separate device from the administrative computing device, and wherein the physical computing device does not initialize a virtual machine after booting; installing, by the administrative computing device, the first malware sample onto the physical computing device; analyzing, by the administrative computing device, the behavior of the first malware sample on the physical computing device to identify at least one physical computing device malware action; determining, by the administrative computing device, based on the analyzing, whether the behavior of the first malware sample on the virtual machine was different from the behavior of the first malware sample on the physical computing device by comparing the at least one virtual machine malware action and the at least one physical computing device malware action; responsive to determining that the behavior of the first malware sample on the virtual machine was different from the behavior of the first malware sample on the physical computing device, generating, by the administrative computing device, a notification indicating the first malware sample behaved differently; restarting, by the administrative computing device, the virtual machine such that it is ready for subsequent malware analysis; causing, by the administrative computing device, the physical computing device to be rebooted using an IP-enabled power strip, wherein the physical computing device is configured to be rebooted from the secondary boot source such that it is ready for subsequent malware analysis; installing, by the administrative computing device, at least a second malware sample onto the physical computing device and the virtual machine; analyzing, by the administrative computing device, the behavior of the at least a second malware sample on the virtual machine; analyzing, by the administrative computing device, the behavior of the at least a second malware sample on the physical computing device; determining, by the administrative computing device, based on the analyzing, whether the behavior of the at least a second malware sample on the virtual machine was different from the behavior of the at least a second malware sample on the physical computing device; and responsive to determining that the behavior of the at least a second malware sample on the virtual machine was different from the behavior of the at least a second malware sample on the physical computing device, generating, by the administrative computing device, a notification indicating the at least a second malware sample behaved differently. |
