Prioritizing Malware Analysis
Hi, this is Jose Morales, researcher in the CERT:CES team. In early 2012, a backdoor Trojan malware named Flame was discovered in the wild. When fully deployed, Flame proved very hard for malware researchers to analyze. In December of that year, Wired magazine reported that before Flame had been unleashed, samples of the malware had been lurking, undiscovered, in repositories for at least two years. As Wired also reported, this was not an isolated event.
Malware analysts have a difficult if near impossible job of managing the influx of new samples that appear in their queues, and according to a recent report in the October 2013 issue of IEEE Spectrum, there are approximately 150,000 new malware strains released each day. Malware analysts need an approach that allows them to sort out the massive amount of new samples that arrive daily in a fundamental way so they can assign priority to the most malicious of binary files.
In a recent post on the SEI blog, I describe research I am conducting with fellow researchers at the Carnegie Mellon University (CMU) Software Engineering Institute (SEI) and CMU's Robotics Institute to prioritize malware samples in an analyst's queue (allowing them to home in on the most destructive malware first) based on the file's execution behavior. Please read about our research and let me know if you have any comments or questions.
In a related podcast titled Characterizing and Prioritizing Malicious Code, Jose Morales discusses an approach for prioritizing malware samples, helping analysts to identify the most destructive malware to examine first, based on the binary file's execution behavior and its potential impact.