Cerberus: Malware Triage and Analysis

Authored on: Oct 29, 2012

Download This document reviews new malware analysis technology, Cerberus, which determines the behavior and intent of suspect binaries without the need for signatures, white lists or a sandbox environment. Using this �triage� approach, organizations are able to detect unknown threats that signature-based technologies will miss. In addition, they are able to gain critical information immediately, allowing them to take decisive action prior to engaging a malware team. There are tens of thousands of static executables on disk and typically 100+ processes running on a given machine at any time. Any one of them could contain malicious code.

To address these potential threats, reverse engineers are often relied on to perform the time consuming tasks necessary to determine the behavior and intent of suspect code. An alternative to reverse engineering binaries would be to run each one in a sandbox or perform some form of dynamic analysis. However, certain malware incorporates counter measures to thwart dynamic analysis. Unfortunately, this approach only tells the analyst what an executable does under certain conditions, not everything the executable is capable of doing.

Given the infinite number of scenarios outside a sandbox environment, there is a great need for automated analysis to fill the gap between what incident responders are finding and what needs to be fully examined. In addition, automated analysis that does not rely on signatures, white lists or sandbox measures provides the actionable intelligence incident responders need within minutes, as opposed to days or weeks.