Malware analysis methods and systems

摘要

Methods of analyzing malware and other suspicious files are presented, where some embodiments include analyzing the behavior of a first malware sample on both a virtual machine and a physical computing device, the physical device having been booted from a secondary boot source, and determining whether the behavior of the malware sample was different on the virtual machine and the physical computing device. In certain embodiments, a notification indicating that the behavior was different may be generated. In other embodiments, a malware analysis computing device that is configured to receive a base hard drive image may be networked booted, and the behavior of the malware sample on the malware analysis computing device may be analyzed. In certain embodiments, a malware-infected hard drive image may then be copied off the malware analysis computing device for further forensic analysis.

主权项

1. A method comprising:
initializing, by an administrative computing device, a virtual machine; installing, by the administrative computing device, a first malware sample onto the virtual machine; analyzing, by the administrative computing device, the behavior of the first malware sample on the virtual machine; causing, by the administrative computing device, a physical computing device to be booted from a secondary boot source different from a primary boot source, the primary boot source being a hard disk on the physical computing device; installing, by the administrative computing device, the first malware sample onto the physical computing device; analyzing, by the administrative computing device, the behavior of the first malware sample on the physical computing device; determining, by the administrative computing device, based on the analyzing, whether the behavior of the first malware sample on the virtual machine was different from the behavior of the first malware sample on the physical computing device:
wherein the determining comprises one or more of:
comparing files that were accessed or were subject to an access attempt on the virtual machine to files that were accessed or were subject to an access attempt on the physical computing device;comparing data written on the virtual machine to data written on the physical computing device;comparing modifications made to files on the virtual machine to modifications made to files on the physical computing device;comparing operating system application programming interface commands invoked on the virtual machine to operating system application programming interface commands invoked on the physical computing device; andcomparing network data sent or received on the virtual machine to network data sent or received on the physical computing device; responsive to determining that the behavior of the first malware sample on the virtual machine was different from the behavior of the first malware sample on the physical computing device, generating, by the administrative computing device, a notification indicating the first malware sample behaved differently; restarting, by the administrative computing device, the virtual machine such that it is ready for subsequent malware analysis; causing, by the administrative computing device, the physical computing device to be rebooted using an IP-enabled power strip, wherein the physical computing device is configured to be rebooted from the secondary boot source such that it is ready for subsequent malware analysis; installing, by the administrative computing device, at least a second malware sample onto the physical computing device and the virtual machine; analyzing, by the administrative computing device, the behavior of the at least a second malware sample on the virtual machine; analyzing, by the administrative computing device, the behavior of the at least a second malware sample on the physical computing device; determining, by the administrative computing device, based on the analyzing, whether the behavior of the at least a second malware sample on the virtual machine was different from the behavior of the at least a second malware sample on the physical computing device; and responsive to determining that the behavior of the at least a second malware sample on the virtual machine was different from the behavior of the at least a second malware sample on the physical computing device, generating, by the administrative computing device, a notification indicating the at least a second malware sample behaved differently.