Expert Blog: Disruptive Innovation in Cybersecurity

Bitninja.io header Guest Blog

The Dynamic Malware Analysis System by BitNinja

George Egri
Author: George Egri

The COVID-19 outbreak has speeded up the growth of Internet traffic. The number of websites is rising rapidly, and there are more eCommerce businesses than ever.

Therefore the shared web hosting companies are doing a roaring trade. But unfortunately, these are not the only numbers that are growing.

Cyberattacks are also on the rise, and no business is safe nowadays. By now, cybercrime is one of the most frequently reported economic crimes in organizations, making cybersecurity a C-suite and board-level concern. Today we will talk about how to detect and remove obfuscated malware from shared web hosting servers.

What is Obfuscated Malware?

The obfuscation technique is for hiding the real purpose of a program. The hacker creates a code that is not readable by humans, but the functionality behind it remains the same. So when you run the program, it will behave like the encapsulated program it was designed for.

How to Analyze Different Types of Malware

There are two different types of analysis when we talk about malware: static and dynamic.

Static Analysis

The static analysis includes hash algorithms, string matching, code-based detection, and there is a new, patent-pending technique invented by George Egri (Co-founder and CEO of BitNinja), the source code structure analysis.

Signature type Example
MD5/SHA2/SHA3 5d41402abc4b2a76b9719d911017c592
String match eval(base64_decode(
Code-based if the first line starts with a lot of space and …
SA-MD5 Full structural match
SA-SNIPPET Partial structural match

 

This creates a special structure-based signature from the source code and then does the matching on the structure. This way, no matter how the source is altered, the structure will be the same. It is very similar to how plagiarism checker systems work.

Dynamic Analysis

But jump back to the types of analysis. Besides the static analysis, there is the dynamic analysis. When using the dynamic analysis, you run the source code partially or entirely and observe the program’s behavior.

Deobfuscation
bitninja image 1
You can see the eval obfuscation here

 

 

 

 

One of the behavior analysis methods is deobfuscation. If you find the obfuscation mechanism, you can deobfuscate the code. After that, you can decapsulate the real program and match the deobfuscated source code. But believe me, there are too many different obfuscation techniques. So it’s not that easy to deobfuscate the code, and there are other aspects that are hard to analyze without partially running the code.

Output

Another technique is from the output when you analyze the output of the program. Most of the time, when you run malware, you can find traces of malicious behavior from the output.

Function Calls

Bitinja image 2

 

 

 

Within the confines of the “Function Calls” analysis, you run the code, and you find which functions are used for malicious activities.

Variable Content

Bitninja image 3

The next one is variable content analysis. This program contains something “phishy”, as you can see in the picture. It’s always suspicious when a source code includes function names like explode and basic commands used to decode interesting variable names.

File Manipulation

Bitninja image 4

 

 

 

It can happen with real files or within a simulated environment to safely analyze file manipulations.

Multi-Path Execution

Bitninja image 5

Finally, you can do multi-path execution when you analyze what would happen if you forced the interpreter into a code branch. This way, you can find locked code parts, and this technique is also quite helpful in discovering malicious behaviors.

How to Use These Techniques

The Old School Way

Sandboxing is one way to use these techniques if you have a couple of special servers for that purpose.

Bitninja Image 5

These servers can spin up virtual servers, and you upload the PHP file to it, run the code and do the above-mentioned analyzing methods. The disadvantage of this technique is that it takes around 20 seconds to analyze one PHP file. Analyzing all of your PHP files would take a lot of time and eat up too many resources.

The New Way

BitNinja has built a PHP simulator. It’s a safe environment where you can partially run PHP files on the server and run all the analyses that we were talking about. With this feature, you can analyze old PHP files on the servers and can discover the most recent zero-day malware, even if they are obfuscated.

How to secure shared web hosting servers?

Bitninja Image 7

You need different solutions against DoS attacks, brute force, botnets, vulnerability scans, backdoors, and the list is almost never-ending. The best way to secure your servers is to set up a multi-layered defense system that stops the attacks on each layer.

That’s exactly what BitNinja provides. You can install it with a one-line code, and then you have a complex system of layers from real-time IP reputation through honeypots, DoS detection, WAF, log analysis, and of course, malware detection.

Bitninja Image 8

About BitNinja in a nutshell

George Egri, the co-founder, and CEO of BitNinja, has a web-hosting company. Some years ago, they had a lot of customer complaints because of hacked websites. They tried to combine the different tools on the market to secure their servers against the different kinds of cyberattacks, but after a while, it became unmanageable. So they decided to solve this problem by creating an internal all-in-one solution. This project was the ancestor of BitNinja. They realized that it could be beneficial not just for them but also for the shared hosting industry and the whole Internet. Therefore they started to establish their resources in BitNinja and make the Internet a safer place.

Inky Hosting CDN Marketplace