From Anubis and Wepawet to Llama
How research and innovation inspired the creation of Lastline’s anti-malware solutions
Lastline’s founding team is composed of malware researchers from the University of California in Santa Barbara, Northeastern University in Boston, Technical University of Vienna, Eurecom Institute in France, and Bochum University, Germany. As a group, they are associated with the International Security Lab (http://www.iseclab.org), and they have published hundreds of scientific papers in top conferences, addressing all facets of advanced malware, from cybercrime and the underground economy, to the analysis of evasive malware using static and dynamic analysis, to the identification of malicious web sites, to new approaches to protect Android applications.
However, producing innovative research is not the only thing that came from this group of scientists. As a by-product of their research work, they have developed tools that have been made available to the community at large. Two of the best-known tools are Anubis and Wepawet. These tools, named after Egyptian gods, are publicly accessible through web portals (namely, http://anubis.iseclab.org and http://wepawet.iseclab.org). Anubis allows one to submit a Windows executable or an Android app and obtain a report on the actions performed by the program; Wepawet allows one to submit a URL and obtain an analysis of the corresponding web site (it also analyzes PDF files).
These two tools have been used by tens of thousands of users who have submitted hundreds of millions of samples and malicious URLs. They also have been one of the motivating factors for creating Lastline. In fact, the creators of Anubis and Wepawet soon realized that the lessons learned from creating, deploying, and managing these tools could be leveraged to build a “commercial grade” toolset that provides better detection, resistance to evasion, and integration with network-based detection.
The result of this activity is Lastline Enterprise, a product that monitors an enterprise network looking for evidence of malware infections. Lastline Enterprise has a network sensor that extracts programs and documents on-the-fly, and passes them to an analysis engine based on a proprietary approach called “high-resolution analysis”. This type of analysis has been developed at Lastline to provide better insight into the actions of programs and resistance to evasion.
The “engine” behind this analysis capability is “llama”, a malware analysis system build from scratch at Lastline from the same developers that years ago created Anubis and Wepawet.
The llama system incorporates many of the lessons learned from 10+ years of research into advanced malware and the experience from creating and running Anubis and Wepawet, but goes well beyond what these academic prototypes provide. The llama engine has deeper insight into the actions of malware, the ability of extracting and characterizing complex, high-level behaviors, and a focus on detecting and combating evasive techniques, which have been characterizing the recent evolution of malware threats. In practice, while Anubis is mostly an analysis tool, llama is a sophisticated detection tool, which is able to both extract the actions and characterize the maliciousness of a program.
In addition, llama is able to cover a much wider range of artifact and platforms, including Microsoft Office Documents, Windows7 and 64-bit binaries, Browser Helper Objects, PDF documents and much more.
Therefore, even though the same world-class research team that brought you Anubis and Wepawet is behind Lastline’s products, Lastline anti-malware solutions are completely different products, developed from scratch to provide better visibility into the actions of malware and operate effectively and scalably in enterprise networks of all sizes.
In conclusion, Anubis and Wepawet are always available, free for non-commercial use. However, if you want to protect your network with the most innovative anti-malware solution that combines malicious traffic detection with high-resolution analysis you might want to try out Lastline Enterprise. In addition, if you want to improve your malware analysis toolbox, you should try Lastline Analyst, which provides immediate access to our analysis infrastructure. You can easily request free trials for both solutions here: http://landing.lastline.com/enterprise-analysts-request