VMRay Analyzer 3.0: Raising the Bar for Automated Malware Analysis & Detection
With today’s release of VMRay Analyzer 3.0, we’ve set a new standard of performance and accuracy with our flagship solution for automated malware analysis and detection. With version 3.0 security teams can quickly analyze and detect advanced, zero-day and targeted malware—and initiate incident response—stopping attacks and threats that other technologies miss.
The new release:
- Expands coverage to include the analysis of files in macOS environments
- Bolsters VMRay analysis engines to deliver comprehensive, in-depth analysis of URLs
- Introduces relationships between malware samples
- Provides new, high-level reports for managers
- Adds several other features critical to effective enterprise security and incident response.
In this blog post, we briefly describe and illustrate these significant new capabilities, which reinforce VMRay’s position as a market leader in automated malware analysis. Built on an agentless hypervisor-based approach, VMRay Analyzer delivers unparalleled detection efficacy with full visibility into malware behavior, evasion resistance and noise-free analysis results. The platform’s Now, Near, Deep architecture combines our dynamic analysis engine with the strengths of a built-in rapid reputation service and our own static analysis engine. The result: VMRay Analyzer empowers security teams to handle larger analysis volumes, speed up detection and improve the productivity and efficiency of security personnel and infrastructure.
macOS Malware Analysis
VMRay Analyzer now supports comprehensive analysis of macOS executables and app bundles, enabling security teams to better secure heterogeneous IT operating environments. Analysis results include the following capabilities.
Detailed function logs with full visibility into the behavior of macOS malware
Detection of sandbox evasion techniques and persistence mechanisms
Created, modified and embedded files
In-Depth URL Analysis
URLs embedded in emails or documents are a major infection vector. To fully understand the scope of a new threat or conduct a post-mortem forensic analysis, security teams must be able to quickly assess what is triggered when a user visits a suspicious website. In 3.0, we have bolstered our URL analysis engine in the following areas.
- Detection and analysis of browser exploits.
- Recursive analysis: If a website analysis leads to a direct file download, the file behind the URL is automatically analyzed.
- Full SSL visibility and URL redirection: VMRay Analyzer can track all URL redirections and determine the reputation information associated with each. In addition, we have added tree views to visualize these redirections for further context.
User Agent: Users can now choose from a list of predefined user agent strings or add their own customized string before analyzing a website.
The relationships that exist between malicious files and URLs provide security teams with a great deal of insight into malware attacks. Sample relations expose the relationship between a URL and the associated direct download, a dropper and the associated dropped file, an infostealer and the associated C2 server and so on. These relationships provide contextual information to digital forensic and incident response (DFIR) teams which is critical to responding to an attack as well as preventing one in the future.
VMRay Analyzer 3.0 automatically displays relationships between samples in relevant scenarios. The severity rating of a file or a URL is adjusted based on the nature of its relationship with another malicious sample. There are many sample relation categories, one of which is illustrated below.
In order to facilitate sharing analysis reports with team managers, we have introduced ‘Manager Reports’ which summarize analysis results into a crisp one-page PDF document. These reports can be downloaded from the user interface and shared across the team. Manager Reports include basic information about the file or URL, a severity score, analysis results in each target environment and a list of associated threat indicators.
Improved Network Traffic Parsing and Memory Dumping
We have also significantly improved network traffic parsing in VMRay Analyzer 3.0 using an open source network traffic analyzer. This helps us present a comprehensive record of every connection– including application-layer sessions such as all HTTP sessions with their requested URIs, key headers, MIME types, server responses and all files transmitted via HTTP. Analysis reports also include DNS queries and responses.
We have also significantly improved our memory dumps by selecting smarter triggers for this process. Smart memory dumping provides smaller, more relevant memory dumps that can help, for example, in the analysis of a packed malware executable that unpacks itself at run time.
Customized Data Retention Policies
- In our latest release, users and accounts can also define their own data retention policies on our Cloud service using a simple drop-down menu.
User Experience Improvements
- We have also introduced several user experience improvements. These include a redesigned menu layout, new interactive network options to investigate network analysis results and tree view graphs to visualize URL redirections in reports.
Additional New Features
- New REST APIs to enhance detection results with external file and URL reputation sources
- New REST APIs to monitor server and worker health for on-prem deployments
- Support for analysis on Windows 10 RS3 (1709)
- Support for detection of UEFI-based rootkits
- New VTI rules to detect advanced, evasive malware – this includes the detection of information stealing from over 100 applications
- Now, Near, Deep: The Power of Multi-Layered Malware Analysis & Detection
- Analyzing Location-Based Malware with Geo Anonymization
- Introducing the IDA Plugin for VMRay Analyzer