Dynamic Analysis
Definition
Executing or opening a file in a synthetic "sandbox" environment to determine if the file is a malicious program or if the file exploits another program such as a document reader.
Synonyms: Malware Detonation , and Malware Sandbox .How it works
Analyzing the interaction of a piece of code with a system while the code is being executed in a controlled environment such as a sandbox, virtual machine, or simulator. This exposes the natural behavior of the piece of code without requiring the code to be disassembled.
Considerations
- Malware often detects a fake environment, then changes its behavior accordingly. For example, it could detect that the system clock is being sped up in an effort to get it to execute commands that it would normally only execute at a later time, or that the hardware manufacturer of the machine is a virtualization provider.
- Malware can attempt to determine if it is being debugged, and change its behavior accordingly.
- For maximum fidelity, the simulated and real environments should be as similar as possible because the malware could perform differently in different environments.
- Sometimes the malware behavior is triggered only under certain conditions (on a specific system date, after a certain time, or after it is sent a specific command) and can't be detected through a short execution in a virtual environment.
Implementations
- Cuckoo Sandbox
References
The following references were used to develop the Dynamic Analysis knowledge-base article.
(Note: the consideration of references does not imply specific functionality exists in an offering.)
Malware analysis system
MITRE Comments
This patent describes a VM sandbox environment that uses heuristic based analysis techniques performed in real-time during a file transfer to determine if the file is malicious. A new signature can then be generated and distributed to automatically block future file transfer requests to download the malicious file.
Use of an application controller to monitor and control software file and application environments
MITRE Comments
This patent describes received files being open in an environment such as a virtual machine or quarantined environment to associate file reputation information that determines if a file is a threat.