Stop Lower Life Forms with Higher Learning (Blog 3 of 4)

By on Nov 20, 2014

We’ll be releasing four blog posts over the next week.  Each blog will contain a repeated clue word to help you solve the puzzle below.  Track all four clues to help solve the final puzzle and a chance to win a Nikon D3200 DSLR camera and 18-55mm lens!.   To enter the contest, after the last blog, email us at with the right answer and the clue words.

Puzzle:  This comic book superhero is a legend in print and movie

Blog 1 clue (11/13) :   Publishing company
Blog 2 clue (11/18):   Movie
Blog 3 clue (11/20):   His Superhero power
Blog 4 clue (11/25):   The Superhero’s Alias

As advanced malware attacks have become ever more stealthy and evasive, sandbox solutions have taken flight as our new best hope for not preventing the next data breach. A sandbox conducts dynamic code analysis, running suspect files in an isolated virtual environment and monitoring their behavior. Anything that acts like malware—attempting to hide itself, modify the Windows registry, or download additional files from a known malicious source, for instance—is assumed to be malware and treated as such.

Malware writers, of course, have quickly adjusted their flight plans and developed new strategies to avoid sandbox disclosure. A file may simply outwait the observation period by entering a sleep cycle immediately on launch and delaying any revealing behavior for a predetermined interval. Some malware can now recognize a secure environment by the absence (or presence) of certain resources, and will display only a limited set of deceptively innocuous operations. Tactics like these allow many new attacks to successfully sandbag the sandbox.

This is why a dynamic sandbox always needs static backup. Static analysis—and I want to be very clear that we’re talking here about true static code analysis—provides a window into the nature of latent, non-executing code to which dynamic analysis is entirely blind. True static analysis identifies structural similarities between latent code and known malware samples, quantifies the percentage of code that executes during a sandbox evaluation, and maps out all the logical paths a code sample would exhibit if it were observed in full flight.

First, of course, the inspection engine must have access to the file’s code, something the author typically takes pains to prevent. Often the code has been obfuscated with a packing program like Themida and Armadillo. Legitimate developers use such packers to keep pirates from reverse engineering their products, and they’ve been widely adopted by malware writers to hide their attacks from sandboxes and security analysts.

Unpacking an obfuscated file can be very labor intensive, but the static inspection engine developed for McAfee Advanced Threat Defense includes powerful unpacking capabilities that provide access to the original execution code in just seconds. It works so well, many malware research organizations buy and use the product for that feature alone.

The recovered code is then parsed and subjected to various types of analysis.  Statistical analysis provides a measurement of latent code that didn’t run in the sandbox, while structural analysis compares the recovered code to similarities with known malware families.  Lastly, a complete logical map of the file’s potential execution paths provides a perfect companion map for in-depth malware research efforts. When combined with the sandbox observations, these findings provide an extremely reliable judgment of the file’s true nature.

For another view of static code analysis and how it helps dynamic inspection take flight, watch our animated introduction here


About the Author


McAfee is the device-to-cloud cybersecurity company. Inspired by the power of working together, McAfee creates business and consumer solutions that make our world a safer place. Take a look at our latest blogs.

Read more posts from McAfee

Categories: McAfee Enterprise

Subscribe to McAfee Securing Tomorrow Blogs