Clone wiki

virusbattle-sdk / Malware Intelligence

VirusBattle's unique analysis method combines deep knowledge of Operating Systems Internals coupled with state-of-the-art programming languages theory for formal program analysis. This allows it to peer through most known obfuscations and easily analyze even the most complex malware and extract a wealth of information about the inner structure and workings of malware. Add Data Mining to mix and you get a very powerful tool to extract Intelligence from large repositories of malware at a scale that was previously un-thought of.

Connections between seemingly disparate malware families:

VirusBattle can be used to find connections among malware families that were previously never even thought of. Further queries can be made to the system to find out the nature of the connection and also to show the evidence- semantically equivalent procedures that led the system to the conclude the connection.

Below image shows VirusBattle identifying a connection between Gamarue Worms and Leechole Trojans. VirusBattle found that certain variants of the two families share the same packer. VirusBattle also successfully identified the set of procedures that were common to the two families and formed the unpacking stub. This is of immense help to reverse engineers wanting to unpack the malware manually for deeper analysis. cluster-middle-row-right-column-2.png

Below two images show two procedures found in several variants of DarkComet and Optima families. Variants of both families use different packers to hide these procedures from static analysis. The procedures were extracted by VirusBattle's unpacker using VM Introspection at runtime. DarkCometOptima2.jpg DarkCometOptima1.jpeg