Intelligent Monitoring: Auto-Focus for Malware Analysts

Jul 10th 2019

Intelligent Monitoring captures everything that’s relevant and only what’s relevant, so your Security Team can focus on what’s most critical & essential.


In explaining what had motivated his team to switch to VMRay Analyzer, a customer told us, “It’s not about getting our analysts started with malware analysis. It’s getting them to stop!” VMRay, he explained, was allowing DFIR team members to do malware analysis in a faster and smarter way than was possible with prior sandbox products they had used.

That’s a message we often hear. And underlying the performance advantage customers see is a capability we call Intelligent Monitoring (IM), which distinguishes VMRay from everyone else. Embodied in VMRay Analyzer are three core aspects of IM:

VMRay captures *everything* that’s relevant to malware threat analysis and what would happen in an attack using that malware. Based on monitoring at the hypervisor level—an approach that consistently evades detection—VMRay transparently monitors and logs every single interaction between the malware and the operating system, with no blind spots.

This includes all API calls, native calls, syscalls, COM/.NET methods, and java functions. Because our technology is not based on function / API hooking, we can even intercept calls into the middle of functions or APIs. These are often performed by malware in order to remain invisible to other security solutions. Furthermore, our approach not only provides full visibility in monitoring all actions, but it does so in a completely transparent and invisible manner, as VMRay doesn’t change a single bit in the detonation environment of the malware.

VMRay reports only what’s relevant. By default, analysts see in the user interface only the core information needed to quickly identify and address the risks posed by malware. One of the side effects of conventional approaches to malware analysis is that their monitoring activity generates a tremendous amount of irrelevant noise. This noise dilutes critical information about actual threats that are in progress, making analysis more challenging and time-consuming.  The noise can contain false alerts.

A typical example: Due to the noise generated during the analysis of a benign Word doc, it may be reported that the doc is performing network communication, reading crypto keys from the registry, and injecting code into other running processes. Analysts spend much of their time investigating false positives, which is a waste of valuable staff resources. VMRay employs a number of advanced techniques, such as segregating trusted code from untrusted code, to virtually eliminate all this extraneous noise.  And because we do not monitor side effects of the operating system or benign applications in the first place, the analysis can be completed much faster compared to other approaches.


Info Stealing - Behavior Tab

Figure 1: Analysts can easily navigate from a high-level VTI rule match (in this case Information Stealing) to the specific behavior.


Like a camera with an auto-focus lens, VMRay zooms in or out to monitor what is most critical or essential at any given stage of an unfolding threat analysis being conducted inside the sandbox. The technical term we use for this auto-focus capability is Intermodular Transition Monitoring (ITMTM), and it is at the heart of Intelligent Monitoring. Regardless of what malware is doing at a given moment—issuing an API call, using special CPU instructions to directly jump into the kernel, or using higher-level concepts—VMRay automatically adjusts to the optimal monitoring granularity for the situation. This allows an analyst to always see the highest semantic level possible so he or she will not have to guess the intention of the malware by looking at hundreds of syscalls being generated by a high-level API.


Figure 2: VMRay runs as part of the hypervisor on top of the host OS


Why VMRay Does What Others Can’t

Other products, based on technologies invented a decade or more ago, can’t match the capabilities of Intelligent Monitoring. Those earlier approaches were built for observing API calls of single executables. Static and inflexible, they can’t keep pace with the staggering diversity of malware, in its’ many different forms, sizes and implementation types and is delivered via multi-stage attacks and extended campaigns.

To give just one typical example, an infected Word or Excel document drops a payload that downloads an executable, which injects code into a Windows process. In turn, this creates an autostart key which, after reboot, launches a piece of malware that is the real source of danger. In Figure 1 we see Intelligent Monitoring in action. Not only does VMRay see the sample reboot but it captures the behavior as well.


All Monitored Behaviors

Figure 3: VMRay Analysis showing all monitored processes from an infected Excel Document


Reflecting VMRay’s strong engineering focus and its track record of innovation in malware analysis, VMRay Analyzer is unique in its ability to recognize and automatically adjust to such complex and dynamic threats. From a business perspective, Intelligent Monitoring lets incident response teams reduce their workload and save time in the IR process while making better use of the team’s security expertise. With data that is complete, undiluted and noise-free, even junior analysts can more quickly identify and focus on resolving real threats while avoiding time wasted on chasing false alerts.

Calculate how much malware false positives are costing your organization:
Malware False Positive Cost Calculator