Norm spreads cheer in the security sandbox with Malware Analyzer G2 (MAG2)

A look at the Malware Analyzer G2 (MAG2) platform, which security vendor Norman hails as a better weapon for those in the data and software protection business.

By Taylor Armerding

January 26, 2012 — CSO —

As everybody in the IT security world knows, the war against malware demands constant evolution -- the only way to defeat increasingly sophisticated attacks is to stay a step ahead of them. The traditional methods -- firewalls and even emulation or virtual environments -- are not enough in a threat environment that may produce as many as 100,000 malware variants a day against major enterprises or government agencies.

But Norman, the Oslo, Norway-based security firm, says it has a better weapon for those in the data and software protection business, in the form of its Malware Analyzer G2 (MAG2) platform, released last July at the Black Hat Technical Security Conference.

As the name implies, this is an analysis, not a blocking, tool -- it is meant to be used after a suspicious file has already been detected. While the company shies away from using the term "forensics" to describe what MAG2 does, Matt Allen, product manager for MAG2, says that is one way for the average user to understand it.

"You've detected something funny," he says, "but then you have to figure out what it is and how to solve the problem. This (MAG2) provides the intelligence to tell you if it is really bad or not. It tells you what is special about it and how to detect it in the future. That lets you tweak both detection and protection."

"It's a little like after a hotel break-in," says Jonathan Camp, senior developer at Norman. "You know somebody broke in, but what did they do -- bug the lamp? What were the behaviors once they got in? It's a post-incident analysis."

An analyst who receives a suspicious sample, "wants to see exactly what it does. Is it malicious or not? If it is, what did it do?" says Camp.

But, of course, no analyst is going to be able to deal with tens of thousands of samples in a day.

And MAG2's method of confronting that problem, say Allen and Camp, is what puts it a step ahead of not only malware attackers but also the competition. One element of it is the platform's Hybrid Sandboxing technology, which Allen says is "two different sandboxes running side by side." It is an improvement over virtualization, he says, which has become less effective as malware writers can now detect it and build protections against it into their code.

"We call it an emulation," he says, "where we've taken the Windows OS and the hardware and network services and reverse-engineered it, sort of like a video game. The rules don't apply that would be in the real world. "What makes it really special is that you've got simulation and emulation running side by side."

Special enough that Virus Bulletin gave the Norman Sandbox its 2010 award for the "most innovative idea in 10 years."

The other element is visual. Camp has developed a way to display malware samples that shows, through colors and lines connecting thousands of different points, which malware files are from the same family or share behaviors, such as coming from the same web server.

That graphic can reduce the number of files that need more focused analysis from what looks like a galaxy of 50,000 or more down to a half-dozen families to just three or four.

"Once you've done that, then you can do behavior blocking and improve the effectiveness of your anti-virus engine," Camp says. None of which means the war is won, of course, but that there is one more improved defensive weapon against daily attacks.

Read more about application security in CSOonline's Application Security section.

Other stories by Taylor Armerding

• Print