Q&A on Using a Real Time Sandbox to Thwart Packed Malware

By Ladi Adefala | December 07, 2016

There have been numerous cases recently where advanced malware has been linked to significant data breaches. Malware authors employ a variety of techniques to hide their malicious intent, including the use of packing utilities to create “packed malware.” Ladi Adefala, Senior Security Strategist at Fortinet, explains how a real time sandbox can change the game with regard to defending against these sophisticated attacks.

What is Packed Malware?

Packed malware is one of the most common types of advanced malware, carefully designed to evade the protections that most organizations rely on to detect malicious files. Packing is a process that takes a file, for example a Microsoft Windows Portable Executable (PE) file, compresses and encrypts the file,
and outputs a new PE file with a new PE file header and
sections. This new PE file header will show a limited
number of the characteristics of the original file properties. In the case of a malicious file, that helps to conceal meaningful indicators of suspicious

How do you detect packed files?

There are a few ways to detect packed files. One is the size of the Raw data (size on disk) vs the Virtual size (size in memory) of the .text section. If this section’s size in memory is noticeably larger than its size on disk, that indicates it’s a packed/compressed executable. A few bytes off is normal because of alignment between memory and disk, but if the virtual size is considerably larger than the raw data size on disk, the file is packed. Import functions (also called function APIs) are also significant because they serve as a kind of roadmap that informs our analysis of where the program is going and what it’s designed to do. The absence of a long list of functions is a fairly good indicator that the file is packed.

Now, not all packed executables are malicious. There are legitimate reasons for packing, such as protecting against software piracy and theft, but once you find a packed file, you need to investigate that file.

Once you’ve detected a packed file, how do you unpack and analyze it for malware?

When done manually, there is an art and a science to analyzing suspicious files for malicious intent. Even for seasoned analysts, unpacking and analyzing packed malware files is typically a very tedious and time consuming process that could last a few hours to days, depending on
the complexity and sophistication of the packed malware. Clearly, this isn’t fast enough for some threats.

How does Fortinet automate malware detection and analysis?

For inspection of packed files, automation is key. The Fortinet malware detection engine performs content inspection and filtering by extracting files, email messages, web pages, and other files from data traffic. It also reassembles fragmented files and decompresses compressed content. Fortinet’s Real Time Sandbox (RTS) works in collaboration with other elements of the engine, such as the Content Pattern Recognition Language and preprocessor components, during the scanning process to determine if a file is malicious or not. Either of these two functional components of the engine can activate the RTS to analyze a suspicious file.

Why is a Real Time Sandbox the key to handling malicious packed files?

Fortinet’s Real Time Sandbox (RTS) is a powerful emulation engine that quickly runs through the instruction set of the unpacked code and interprets the intended behavior. 

Specifically, it emulates Windows environment user and kernel APIs (over 11,000 APIs to date) and extrapolates behaviors – looking for those generally associated with the execution of malware, as identified by powerful machine learning and other techniques developed over the years by FortiGuard Labs. It essentially automates the actions that an analyst would have to perform by hand to unpack and review a packed specimen.

Besides automation, what are the advantages of Fortinet’s RTS?

The RTS has two huge benefits. First, it can complete the unpacking process with significant speed. Second, the unpacking, analysis, and detection occurs in real time, as opposed to waiting until a suspicious malware has been active within your organization’s systems for days or even weeks, which means it’s capable of stopping malware before it actually does the damage. The RTS does what our security analyst would have done manually, but it does it faster and in real time. Remember how time-consuming the manual effort was for our security analyst (hours to days)? Well, the RTS can unpack a suspicious packed file in seconds, even for very complex malicious files. And that can make all the difference.