I just watched a video presentation from September’s OWASP conference. The presenter, Tyler Hudak, talked about the Truman-based hybrid sandnet he created to automate the analysis of web-based malware. He references Google’s The Ghost in the Browser paper, as well as the Honeynet Project. One tool he used to help automate things in Windows is AutoIt, something I had not heard of before, but it sounds handy. The demo also shows a tool called InCtrl5, a utility for Windows that monitors changes to your system, primarily for use when installing some new program. I guess it’s used to compliment the usual Sysinternals tools, so maybe it has some extra features that Tyler finds useful.

Some of the problems this approach is trying to solve are browser-dependent obfuscated JavaScript, plug-in dependencies (like Flash), multiple redirects, etc. All of these issues make malware analysis more complex and time consuming, so any automation you can get away with is a big help. The demo at the end is pretty cool, but he glossed over how the information from the automated analysis is presented to the user. I’m guessing it’s not (yet) in a pretty report format. Either way, you still need someone with the right knowledge to analyze the output and decide what to do with it to help defend your network.


1 Response » to “Automated Web-Based Malware Behavior Analysis”

  1. eugenekogan says:

    I got this comment from the presenter this morning:

    Your name: Tyler Hudak

    Message: Thanks for watching the video of my presentation! The reason I didn’t show how the info is presented to the user (which comes in both the raw files generated and a tidy little HTML report) was that I was running short on time and OWASP was being VERY strict about going over at the conference (as they should). You are also correct in that its not that pretty, since its an internal-only device at this point. :)