A SecondWrite blog series

Introduction

Malware reverse engineering is a time consuming and difficult process. Most SOCs don’t employ team members with the time and/or skill set required to focus on a single sample, and so they must rely on external tools or malware repositories to learn more about an attack payload. For malware that is known, signature-based antivirus products will typically tell one all they need to know about the sample in question. For those especially widespread strains, one might even find a full blog article dedicated to the analysis of a single particular sample. When it comes to zero day malware, or malware that has yet to be analyzed by dedicated reverse engineers, one’s options are more limited. 

As run-time analysis is generally a lot easier and faster than static code analysis, most organizations will expend effort and resources creating and maintaining a malware detonation sandbox. The purpose of the sandbox is to expose the behavior of the sample file in question and give the analyst some idea of the purpose and intent of the program in question. In theory, the maliciousness of the sample file can be determined by analyzing both its run-time behavior and its proximity to known malware. Malware authors, however, learned long ago that in order to protect the time and money expended on developing their “product” they must take significant care to hide the malicious intentions of their programs. Unfortunately, all malware sandboxes that exist today fail to expose all of the malicious behavior of a sample file in one way or another.

Malware DeepView

SecondWrite’s next-generation dynamic malware detection product known as Malware DeepView employs a combination of automatic deep code inspection and machine learning. Customers submit files of a variety of types to DeepView, and receive back a score, specifying whether the file is malicious or benign; and a detailed report on the actions taken by the input file. DeepView delivers a high detection rate of malware with low false positives. Its strength is detecting zero-day malware with high accuracy without the use of signatures. Customers for DeepView include vendors of network, host, and threat intelligence products. Incident response teams, hunt teams, SOCs, and MSSPs have also purchased DeepView.

DeepView is a completely signature-less sandbox built on the following uniques technologies:

  1. Forced Code Execution (FCE) is based on patented technology developed at SecondWrite. It dynamically forces the execution of all code paths, including code that evades all other malware detection products.
  2. Program Level Indicators (PLI) are features extracted from a running process related to code structure in the sample program. We also use FCE to extract PLI. Since our FCE gives us more code coverage, we are able to extract PLI from evasive portions of the code as well. 
  3. Automatic Sequence Detection (ASD) is a technology that uses deep machine learning to automatically identify program code patterns that are more frequently found in malicious programs than in benign programs and vice versa.

Our three unique technologies (FCE, PLI, and ASD) all feed our deep learning (neural networks and convolutional neural networks) based machine learning model used to classify samples and provide a maliciousness score. 

In this blog series, we’ll show how SecondWrite is able to find the hidden malicious behavior that others miss

Aparna Kotha

Aparna Kotha

Co-founder and Chief of Product Development

Aparna Kotha has over six years of experience as a startup manager and entrepreneur in the cyber-security and enterprise software space. She is a founding member of SecondWrite and has led its product development from the early days. She manages customer on-boarding & support at SecondWrite. She has also showcased the SecondWrite product at various technology conferences and trade-shows. Aparna has over ten years of experience in binary rewriting, program analysis, compilers and algorithms. Prior to SecondWrite, she received a PhD from University of Maryland(UMD), College Park in Spring 2013. She has authored over 14 papers and 4 patents.