Evaluating Open Source Malware Sandboxes with Linux Malware

Olowoyeye, Olaboyejo
Nisbet, Alastair
Item type
Degree name
Master of Information Security and Digital Forensics
Journal Title
Journal ISSN
Volume Title
Auckland University of Technology

Analysis of Linux binaries for indicators of compromise is an area of research gaining in interest due to the ubiquity of Internet connected embedded devices. These devices have also been the subject of high profile cybersecurity incidents as a result of the damage caused by their compromise. Malware analysis sandboxes are used to examine malware samples in an isolated environment. They provide a safe environment for the analysis of malware. Most of the discussion on malware analysis and associated tools have been devoted to the Windows operating system. This is because the Windows operating system is the dominant operating system in the desktop operating system space. This research examines the Linux operating system and evaluates the malware analysis sandboxes that are available for the examination of malware developed for the platform. These analysis sandboxes were tested against Linux malware binaries and the relative effectiveness of the sandboxes were observed.

Malware samples were sourced from online repositories and a honeypot setup. The malware samples obtained from the repositories were restricted to those first submitted to the portals within the last four years. The honeypot was deployed to attract malware samples in the wild that are possibly unknown to existing portals. Four malware samples were extracted from the honeypot which were added to the two hundred and ninety-three (293) selected from VirusTotal and VirusShare. The five sandboxes tested were REMnux, Limon, Cuckoo, Detux and HaboMalhunter. The malware samples were examined and analysed on these platforms. The static and dynamic analysis features of these tools were observed as well as their support for automation and reporting. The consistency of the results where applicable were also noted.

It was observed that despite the consistency of analysis noticed; collectively, the five sandboxes failed to detect indications of compromise in twenty-seven (27) of two hundred and ninety-seven (297) malware samples. HaboMalhunter was found to be the most effective during dynamic analysis in the detection of indications of compromise; however, its workflow required each analysis run to be done manually because it did not have in-built virtual machine orchestration like Limon, Detux and Cuckoo. During static analysis results, the results were observed to be similar with the exception of Limon which employed Yara rules to detect the packers used to mask the malware samples. Limon was also alone in its use of Context Triggered Piecewise Hashing (CTPH) to determine the similarity between malware samples by its maintenance of a master list of analysed samples. Cuckoo and HaboMalHunter generated output reports in HTML and JSON while Detux supported only JSON output. REMnux and Limon generated only plaintext output reports. The addition of virtual machine control to HaboMalhunter to restore virtual machine state before and after each analysis run was suggested as a recommended improvement to facilitate the automation of the analysis process. The need to develop more packing signatures for Yara rules was also mentioned for the automatic detection of packers.

ELF , Linux , Malware , Analysis , Binaries , Sandbox , Open source , Linux binaries , Cybersecurity
Publisher's version
Rights statement