Monday, June 22, 2015

Static Analysis Malware Statistics

During the past month I've been dedicated some of my free time in building a Malware static analysis pipeline. Goal of this work is to give to Malware analists usefull statistics on what evasion techniques current Malware are implementing. If you are interested on Malware evasion techniques please have a look to my previous post on that topic ( here ). As my readers know one of my favorite Cyber Security topic is Malware and thier creation, if you are new about it, I suggest you to take a look to the following "blog posts": 

The following image shows the as appears nowaday. Besides the "romantic algebraic sums" (of the analyzed samples),  the number of xor encrypted detections, the Malicious DLL found over the total amount of detections and the average file size, more graphs showing out  more "evasion techniques" are represented.

One of the most interesting information I wanted to give was about the used evasive techniques to detect the virtualized environment the sample might be in. These information have been collected and represented in the "Used  Evasion Technique" graph. 

As a today (please refer to the "blog post" date) the most common Virtual Environment evasion technique is the VMCheck.dll (Red Pill) followed by QEMU CPUID Trick and VirtualBox Detection.


The second most important information given is about Packers. Whate ater the most used packer Malware implements to evade signature detection? The following pie chart shows represents the most used packers among others.


Active analysts (and IDA Pros) will agree to me when I say that one of the most time consuming avtivity is to debug a given sample. Figuring out what is the most used Anti-Debugging technique, could be time saving especially when the analyst is at the beginning of his analysis. The following graph shows my statistics on 21k malware (confirmed malware and not just sample).

 More stats will be available on the web site:, please have a look ! 

How To Contribute:
Day by day I'll add more and more samples but actually the pushing pipeline is not available online and is not available for free submiting. If you wish to contribute (and please do!) you should share with me your malware (GoogleDrive, DropBox, MegaTransfer, etc... might help the sharing process) I'll add them to my simple importing pipeline and I'll put your name on contributor page.

 The data is hosted for free on who accepted to get me a free license for that project.

Thank you !


Mark. said...

missing a "s" in the link for ""

Marco Ramilli said...

Thank you Mark !!!