Static malware analysis: A critical tool in your detection toolkit

Just a few short years ago, Dynamic File Analysis was all the rage. Detonating a file in a “safe” sandbox environment to learn “who it would call and what it would do” and use that critical intelligence to upgrade defenses, was deemed the latest “must have” technology in cyber defense. While there is no question that Dynamic File Analysis is a useful tool, as time went on, the limitations of the technology surfaced and sadly it turned out to not be the “silver bullet” we had all hoped. One of the biggest limitations is that the bad guys know most organizations utilize this technology and have found ways to fool it or move around it. Techniques like; build malware that detects when it is in a sandbox and upon detonation, does not execute the code related to the attack, or use uncommon extensions or browser plugin exploits, environments likely not present in the sandbox. Add to evasion, the fact that sandboxes are both slow at detection and complex to operate and the “silver bullet” dream is lost. But Dynamic File Analysis can be a powerful tool, when it is integrated with rich file context through Static Analysis.

Static file analysis has been around for a long time and has been used mostly in conjunction with software code quality checks, but it is also effective at identifying suspicious files and malware before they execute. Static file analysis is becoming a more common tool in the security team’s toolkit, and when used in conjunction with dynamic analysis, can act as a powerful force multiplier to a team’s effects to surface and contain malware.

Why are more companies not utilizing static file analysis in their security programs?

The most common static analysis tools used by malware analyst teams are open source and not of the caliber needed for use by security teams. The open source tools were not designed to deal with professional hackers and today’s complex attacks. A simple example is the use of packers or fileless malware to obfuscate malware embedded in a file. Open source tools are unable to handle the unpacking process. Another challenge for open source static analysis tools is their inability to recognize malware that changes its characteristics over time such as polymorphic malware or sandbox evasive malware. Without high visibility, automated tools the process of static file analysis can be manual, slow and complex. For an overwhelmed security team, these limitations make static analysis, “a bridge too far.”

The good news is a new generation of security focused static analysis tools are entering the market. These tools are purpose built to deal with the nuances of malware and offer real value to the overwhelmed security team – specifically to investigators and threat hunters. The new generation of Static Analysis tools are fast and scalable. They can decompose and reverse engineer multiple types of files across multiple operating systems making them much more operationally efficient. They do not alert the attacker to their work, and most importantly they have become efficient at unpacking obfuscated files and can overcome evasion techniques.

How does Static Analysis work?

First, this new generation uses techniques to unpack and decompose files so that the malware exploits hidden inside are easily surfaced. By combining automated analysis techniques new tools can quickly identify, decompose, and de-obfuscate the underlying object structure (e.g. embedded executables, libraries, documents, resources, icons) and extract hundreds of threat indicators and capabilities from the files. The more advanced of these tools can even classify the threat level of the file and repair it so that only high risk files are sent for dynamic analysis and the final results are more accurate.

Remember, static analysis of the file occurs pre-execution and takes only milliseconds to complete regardless of their target OS or platform. It thus overcomes shortcomings of dynamic analysis while not being subject to traditional virtualization and sandbox evasion techniques. It is also extremely lightweight and easily scaled to process hundreds of thousands of files daily.

Another new capability of these tools is the ability to define and classify a file based on the files features (as opposed to hashing the file based on its bits). Functional similarity based classification enables a static analysis tool to recognize polymorphic malware and detect a new & unknown malware variant because it is functionally similar to known malware.

What does static analysis enable security teams to do?

The new generation of security focused static analysis tools can help in three different security program areas. The first is as an automated detection tool utilizing its pre-execution and high speed analysis to filter through the vast unknown files coming into the network, defining their risk, identifying any malware embedded in them and sending the “files of interest” into incident response processes. Security teams gain earlier detection and identification of threats and by eliminating large numbers of good files early, reduce false positives and improving the efficiency of the investigation process. This compliments the use of Dynamic Analysis as only “files of interest” are sent to the sandbox greatly improving efficiency and the data extracted from both offers amazingly rich context.

The second use is by the internal malware investigation team to greatly accelerate their analysis processes and have a better starting point. The same fast analysis and deep contextual understanding of the malware, means an investigation team gains quick understanding of properties of the malware and can create “custom signatures and rules” to proactively search for that malware internally while upgrading detection capabilities across endpoints and networks. Targeted YARA rules integrated as part of static analysis can enable a security team to react faster than AV vendors in detecting unknown or polymorphic malware.

The third use is by threat hunting teams that can benefit from solid intelligence to decide what they are going to hunt for. They also need tools that help them hunt in multiple locations across their enterprise and search for their targets both historically and in real-time. The new generation of static analysis tools help here as well. Malware intelligence collected by the investigations teams and linked with the latest global threat intelligence provide excellent starting points to hunt from. The most advanced of the new static analysis tools include databases to store rich malware context and provide advanced search engines to pivot across large sample sets and push out multiple hunting queries across the network, SIEM or data lakes.

Today, the new generation of static analysis tools are in use by very large organizations including government agencies, financial services companies, and hi-tech companies with solid success. As the products mature, more mainstream adoption will occur and security focused static analysis will become a critical and common tool in the enterprise security toolkit.

Learn more about ReversingLabs static analysis engine, products including threat detection, malware analysis and hunting.

Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.