U tweetove putem weba ili aplikacija drugih proizvođača možete dodati podatke o lokaciji, kao što su grad ili točna lokacija. Povijest lokacija tweetova uvijek možete izbrisati. Saznajte više
1\ Malware sandboxes are useful but extremely limited. Here's a malware call graph, and in red are the functions the malware actually *executed* when run in a sandbox -- a miniscule fraction of the malware's potential badness!pic.twitter.com/Ba5EK5EeIO
2\ The problem isn't that the malware did any sandbox evasion. It's simply that we didn't know the right program inputs (e.g. C2 interaction) to get the malware to exercise the untouched parts of the graph. Code coverage is a very hard, unsolved computer science problem.
3\ And this problem isn't going away. I think advances in reinforcement learning's ability to explore very large state spaces in games like Go (e.g. AlphaGo) provide some promise here. But be aware that any commercial or free malware sandbox you use today has this problem.
Have you looked at machoc hashing? It creates a hash of the cfg and later you can compare the hashes generated with a jackard distance for example.
Hey Christiaan, no, I should look it up! I have done other, very similar malware cfg diffs in the past...
This is why you stick an analyst in the loop who can RE far enough to give inputs to the sandbox. Then your auto-analysis becomes a 'save an analyst a bunch of time' tool vs full automatic. It's a framing problem. Still super valuable to have.
Agreed that the least bad solution to the code coverage problem is an analyst using a host of tools -- IDA, a sandbox, z3, etc. I wish that scaled better ;)
Better Symbolic execution would be the path to enlighement then :)
This is so on point. The volume of payloads that are designed to be reused and thus expect command line arguments are huge.
It’s true, especially since even unexecuted functions just mean that your anti-malware defenses caught THIS iteration of the threat - not the next iteration…
I can't say I look at malware sandboxes that statically. If you do mass analysis how far it gets isn't really the point. If it's samples you have interest in and you don't patch the sandboxes to keep up why not?
Thanks for the comment -- for mass analysis, my take is that you want coverage that will allow you to both detect malware and describe its purpose. Unfortunately sandboxes rarely achieve this.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.
