From Anubis and Wepawet to Llama

From Anubis and Wepawet to Llama

llama-advanced-malware-analysis-engineHow research and innovation inspired the creation of Lastline’s anti-malware solutions

Lastline’s founding team is composed of malware researchers from the University of California in Santa Barbara, Northeastern University in Boston, Technical University of Vienna, Eurecom Institute in France, and Bochum University, Germany. As a group, they are associated with the International Security Lab (, and they have published hundreds of scientific papers in top conferences, addressing all facets of advanced malware, from cybercrime and the underground economy, to the analysis of evasive malware using static and dynamic analysis, to the identification of malicious web sites, to new approaches to protect Android applications.

However, producing innovative research is not the only thing that came from this group of scientists. As a by-product of their research work, they have developed tools that have been made available to the community at large. Two of the best-known tools are Anubis and Wepawet. These tools, named after Egyptian gods, are publicly accessible through web portals (namely, and Anubis allows one to submit a Windows executable or an Android app and obtain a report on the actions performed by the program; Wepawet allows one to submit a URL and obtain an analysis of the corresponding web site (it also analyzes PDF files).

These two tools have been used by tens of thousands of users who have submitted hundreds of millions of samples and malicious URLs. They also have been one of the motivating factors for creating Lastline. In fact, the creators of Anubis and Wepawet soon realized that the lessons learned from creating, deploying, and managing these tools could be leveraged to build a “commercial grade” toolset that provides better detection, resistance to evasion, and integration with network-based detection.

The result of this activity is Lastline Enterprise, a product that monitors an enterprise network looking for evidence of malware infections. Lastline Enterprise has a network sensor that extracts programs and documents on-the-fly, and passes them to an analysis engine based on a proprietary approach called “high-resolution analysis”. This type of analysis has been developed at Lastline to provide better insight into the actions of programs and resistance to evasion.

The “engine” behind this analysis capability is “llama”, a malware analysis system build from scratch at Lastline from the same developers that years ago created Anubis and Wepawet.

The llama system incorporates many of the lessons learned from 10+ years of research into advanced malware and the experience from creating and running Anubis and Wepawet, but goes well beyond what these academic prototypes provide. The llama engine has deeper insight into the actions of malware, the ability of extracting and characterizing complex, high-level behaviors, and a focus on detecting and combating evasive techniques, which have been characterizing the recent evolution of malware threats. In practice, while Anubis is mostly an analysis tool, llama is a sophisticated detection tool, which is able to both extract the actions and characterize the maliciousness of a program.

In addition, llama is able to cover a much wider range of artifact and platforms, including Microsoft Office Documents, Windows7 and 64-bit binaries, Browser Helper Objects, PDF documents and much more.

Therefore, even though the same world-class research team that brought you Anubis and Wepawet is behind Lastline’s products, Lastline anti-malware solutions are completely different products, developed from scratch to provide better visibility into the actions of malware and operate effectively and scalably in enterprise networks of all sizes.

In conclusion, Anubis and Wepawet are always available, free for non-commercial use. However, if you want to protect your network with the most innovative anti-malware solution that combines malicious traffic detection with high-resolution analysis you might want to try out Lastline Enterprise. In addition, if you want to improve your malware analysis toolbox, you should try Lastline Analyst, which provides immediate access to our analysis infrastructure. You can easily request free trials for both solutions here:

Giovanni Vigna

Giovanni Vigna

Giovanni Vigna is one of the founders and CTO of Lastline as well as a Professor in the Department of Computer Science at the University of California in Santa Barbara. His current research interests include malware analysis, web security, vulnerability assessment, and mobile phone security. He also edited a book on Security and Mobile Agents and authored one on Intrusion Correlation. He has been the Program Chair of the International Symposium on Recent Advances in Intrusion Detection (RAID 2003), of the ISOC Symposium on Network and Distributed Systems Security (NDSS 2009), and of the IEEE Symposium on Security and Privacy in 2011. He is known for organizing and running an inter-university Capture The Flag hacking contest, called iCTF, that every year involves dozens of institutions around the world. Giovanni Vigna received his M.S. with honors and Ph.D. from Politecnico di Milano, Italy, in 1994 and 1998, respectively. He is a member of IEEE and ACM.
Giovanni Vigna

Latest posts by Giovanni Vigna (see all)