URLs are a ubiquitous infection vector. Embedded in emails, documents, and webpages, they are encountered early and often in the infection cycle. In addition to hosting exploits and delivering malicious files, they also play a major role in concealing threats and attacks by misdirecting analysis tools and security professionals.
To fully understand the scope of a new threat or conduct a post-mortem forensic analysis, security teams must be able to quickly and thoroughly assess what is triggered when a user clicks on a suspect URL or visits a malicious website. With the March release of VMRay Analyzer 3.0, we introduced a new Web Analysis engine that provides more comprehensive and in-depth analysis of URLs in several key areas:
The enhancements made in VMRay Analyzer 3.0 improves detection
of the three broad mechanisms URLs employ to compromise a system:
- Malicious websites that entice users to click on one or more bad URLs
- Drive-by infections caused when a URL entered in the user’s browser automatically downloads a file that infects the system (directly or indirectly)
- URLs with HTML content behind them that automatically exploit known browser vulnerabilities
Recursive Analysis
VMRay’s new URL analysis engine greatly improves recursive analysis: automatically tracking and analyzing suspect URLs—plus suspicious files they download—to a pre-defined depth of recursion.
Importantly, VMRay automates decisions that previously required manual input from users, who often do not have the relevant context to make the best choice. For example, early in the analysis process, a user might be asked whether a suspect URL should be analyzed as a malicious web site or a direct file download, two very different processes. The wrong answer could result in a threat being overlooked.
Now VMRay makes that decision automatically based on the context. In the case of a direct download, the dropped file is automatically submitted to the VMRay sandbox, which follows the path of infection (or misdirection) to its final point and identifies indicators of compromise that point the way. In the case of malicious a web site that contains one or more malicious links, clicking a suspect link initiates recursive analysis.
Full SSL Visibility and URL Redirection
As part of their larger scheme to thwart analysis and detection, many threats automatically redirect multiple times to different URLs. The goal is to cause analysis tools to “lose the trail” so they never arrive at the final endpoint, which is often a blacklisted URL or executable, which would otherwise be readily identified by a reputation engine.
With full SSL visibility, VMRay Analyzer can track all URL redirections and determine the reputation information associated with each. Newly added tree views visualize these redirections to provide further context.
The analysis shown above in Figure 1 indicates that clicking on the original URL initiates multiple successive redirections, leading to a blacklisted login page whose URL and page display are shown at the bottom of the screen.
Network Traffic Parsing
We have significantly improved VMRay’s network traffic parsing capabilities, using an open-source network traffic analyzer. As shown in Figure 2 below, this enables VMRay Analyzer to present a comprehensive and in-depth record of URL behavior, in a highly interactive manner via the Network tab.
As Figure 2 indicates, VMRay has identified that the sample contacts a malicious host and makes several requests involving blacklisted URLs. The system captures a record of every connection. This includes all HTTP sessions−with their requested URIs and server responses−and all files transmitted via HTTP. Analysis reports also include DNS queries and responses.
Configurable User Agents
Some URLs only reveal their malicious behavior when they’re being loaded on a targeted browser/device configuration, such as Firefox on Mac or Chrome on Windows. Otherwise, the malware doesn’t execute, and analysts are left in the dark.
VMRay defeats this evasion technique with its new Configurable User Agent feature. When a suspect URL is submitted for analysis, VMRay can induce the malware to fully execute in the sandbox by also submitting user agent strings that reflect widely deployed configurations in the current environment. This fully reveals vulnerabilities that need to be addressed.
In addition to providing pre-defined user agent strings for common configurations, VMRay allows security teams to define customized user agent strings to make detection more closely attuned to their unique environment.
Sample Relations
The relationship between malicious files and URLs provides security teams with insight into the dynamics of malware attacks. For example, sample relations expose the relationship between:
- A URL and the associated direct download
- A dropper and the associated dropped file
- An infostealer and the associated C2 server, and so on.
VMRay automatically displays relationships between samples in relevant scenarios, providing contextual information that helps DFIR teams respond to current attacks and prevent future attacks.
The severity rating of a file or a URL is dynamically adjusted, based on the nature of its relationship with another malicious sample. The URL analysis depicted in Figure 4 shows a downloaded virus with a severity score of 100/100 and its parent URL.
With these improvements in URL analysis, VMRay Analyzer can identify potential threats at the beginning of the analysis cycle and provide a more comprehensive understanding of those threats. In turn, that timely alerting and information can be published back to protection systems to proactively enhance enterprise security.
