DeepSec2020 Talk: What’s Up Doc? – Self Learning Sandboxes to Defeat Modern Malwares Using RSA: Rapid Static Analysis – Shyam Sundar Ramaswami

Sanna/ October 30, 2020/ Conference/ 0 comments

“Catch me if you can!” is the right phrase to describe today’s malware genre. Malwares have become more stealthy, deadly and authors have become more wiser too.

What if sandboxes started performing rapid static analysis on malware files and passed on the metadata to spin a sandbox environment based on malware attributes and the malware does not evade? Well, the talk deals with about how to do RSA (Rapid Static Analysis, i coined it), pass on the attributes and how we defeat modern malwares by dynamically spinning sandboxes. RSA embedded in “H.E.L.E.N” and “Dummy” and how we extracted the real IOC from Ryuk forms the rest of the talk and story! The talk also covers how these key “attributes” that are extracted are used for ML, how we build bipartite graphs, build instruction based sequence detection models and win32 api based detection models “leveraging HELEN’s intelligence”.

We asked Shyam a few more questions about his talk.

Please tell us the top 5 facts about your talk.

  • Dissecting the new age behaviours of pandemic stealthy malwares that are evading or faking behaviours when it detects sandboxes or virtual environments
  • Leveraging a good bit of Machine learning and attribute gathering process to solve malware evasion problem.
  • How do we build sandboxes that are intelligent, configuration aware, reacting to what a sample can do and quickly spin up a machine of desired configuration to defeat a malware evasion?
  • How can we use Entropy based detections, string and instruction similarities to capture malware behaviours with very minimal running? Also, how can we use Entropy level detections to spot complex malware data exfiltration?
  • Cracking some complex topics like the right attribute extraction when it comes to malware, evasive trojans behaviour spotting  and memory forensics tricks to catch such trojans red-handed in a real simple manner.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

This was due to a super frustrating experience of some samples that never ran in sandbox environments. I observed that malware did a good sweep of my environment by checking what services I run, what AV I run, what tools I run and then it stopped working. Why not build something that takes a patient zero hit and passes on the this information as attributes to another machine which could tweak configuration on the fly and run the malware? I was also inspired by Cisco Talos’s gravity rat blog where I read that they checked cpu temperate rates in VM where it returned an error hence stating that this was not a physical machine. What if we could either fake an api result or omit this step so the malware gets tricked?

Why do you think this is an important topic?

Tackling malware is a big exercise today. Innovating engines and building such engines that tackle advanced malware is the need of the hour. We need to have an alternative when the traditional methods fail. I felt a talk on this topic throws a lot of light on when it comes to an alternate universe in malware analysis and analysis methodologies. At the end of the day unorthodox methods also give you some classic results and we will discuss the same.

Is there something you want everybody to know – some good advice for our readers maybe?

A problem can be solved in numerous ways and so are malwares. Out of the box analysis is a good trick that yields brilliant results in malware analysis. Don’t get bogged down if you fail in malware research because if your traditional methods fail, try to take it to the next level by performing different methods of forensics like memory hunting and so on. Malware is a sore thumb most of the times, it does stick out. You have to be patient to spot the weak link and you need to look in the right places. Well, the talk will tell you what are those possible right places.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

This pandemic phase has seen a variety of new age tricks that are pulled off by malware authors. They are evading security products and exfiltration mechanisms are pretty inventive. There must be a definitive research path and heavy use of historic data in such cases. With historic data we can predict family of malwares using bipartite graphs, hybrid/multiple malware behaviours, pixel level deep learning inside images to check for steganography level attacks, try to crack malware’s hybrid nature by monitoring operating system level calls and a deep dive into memory forensics. The downfall could be that malware authors will litter these evidences with junk values, they know tools can look in such places and put us off track! But we are the heroes that the cyber world needs right now. The hero is “ Innovation”.


Shyam Sundar Ramaswami is a TEDx speaker, Black Hat speaker, GREM certified malware analyst, Cisco Security black belt Ninja and teaches cyber security using “Batman” & “Avengers” characters. Shyam leads the Threat research group for Umbrella Asia Pacific and is a threat researcher at Cisco.
Shyam has delivered talks at several conferences and universities like Black Hat (Las Vegas), Stanford University (Cyber Security Program), Qubit Forensics (Serbia), Nullcon 2020 (Goa), Cisco Live (Barcelona), IRespond (San Francisco), Defcon Packet Village (remote) and at several IEEE forums in India. Shyam also teaches cyber security ” Advanced malware attack and defences” at Stanford’s Cyber security program and runs a mentoring program called “being Robin” where he mentors students all over the globe on cyber security.


Share this Post

Leave a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.