Internet-Scale File Analysis

Presented at Black Hat USA 2015, Aug. 6, 2015, 2:30 p.m. (50 minutes)

Malicious file analysis is well beyond the days when the humble PE32 file was all researchers needed to contend with. The use of malicious PDF, Office, and other files present a far more diverse threat than our defensive tools were originally designed to handle. To make matters worse, the sheer volume of files over time to analyze presents a meaningful logistical problem which becomes increasingly complex as analytical methods move from static to dynamic analysis. When the point in time problem is considered (the fact that historical discoveries can be viewed differently in the light of new analytical techniques or information), the problem seems all but intractable.

To this end, we have developed TOTEM, a system which is capable of coordinating, orchestrating, and scaling malware analytics across multiple cloud providers and thousands of running instances. It is easy to add new capabilities to and can intelligently segregate work based on features, such as filetype, analytic duration, and computational complexity. TOTEM supports dynamic analysis through DRAKVUF, a novel open-source dynamic malware analysis system which was designed specifically to achieve unparalleled scalability, while maintaining a high level of stealth and visibility into the executing sample. Building on the latest hardware virtualization extensions found in Intel processors and the Xen hypervisor, DRAKVUF remains completely hidden from the executing sample and requires no special software to be installed within the sandbox. Further addressing the problem of monitoring kernel-mode rootkits as well as user-space applications, DRAKVUF significantly raises the bar for evasive malware to remain undetected.

This talk will discuss the design, implementation, and practical deployment of TOTEM and DRAKVUF to analyze tremendous numbers of binary files.


  • George Webster - Technical University Munich
    George Webster is currently pursuing his doctorate of philosophy in information security at the Technical University of Munich. His primary research focus aims to address the cognitive bias in cyber defense, specifically in developing scalable methods to perform cyber analytics. Mr. Webster's academic and work background is centered in Virtual Machine Introspection, static analysis techniques, distributed systems, and the psychology of cyber criminals.
  • Tamas Lengyel - Novetta
    Tamas Lengyel is currently working as Security Researcher at TU Munich, focusing on virtualization security of mobile and embedded devices. He'll be starting as Senior Security Researcher at Novetta in a couple of months. He is also a PhD candidate at the University of Connecticut where he is in the process of finishing his dissertation on malware collection and analysis via hardware virtualization. He is an avid open-source developer, contributing to projects, such as LibVMI and the Xen hypervisor, and work with Zentific LLC as open-source adviser, with whom he has participated in a DARPA Cyber Fast Track project. His research interest include a broad range of topics related to computer security, including intrusion detection, operating system design, virtualization, live and forensics memory analysis, rootkits, as well as static and dynamic malware analysis. His area of expertise is around virtual machine introspection.
  • Zachary Hanif - Novetta
    Zachary Hanif holds the position of Director of Applied Data Science at Novetta. He currently works to create powerful analytics within batch and real time data processing engines though applied statistics and rapid correlation. His research interests revolve around applications of machine learning and graph mining within the realm of massive security data.


Similar Presentations: