A Giant Malware Sandbox Is Europol's Secret to Fighting Hackers

The Europol Malware Analysis System is a sandbox system designed to automatically detect and analyse malware.

Dec 1 2015, 4:51pm

Image: Europol

What do you do when there are so many cases of cybercrime utilizing a myriad of different types of malware, and you're the cop that has to dig through them all? Well, you build a massive system for automatically analysing malware from as many countries as possible, of course.

In December 2013, Europol, one of Europe's principle law enforcement agencies, launched the Europol Malware Analysis System (EMAS), which is designed to automatically detect and analyse malware, and to provide crucial information on cybercrime in the EU.

Now, documents obtained by Motherboard explain how this system works, giving an insight into how law enforcement agencies are fighting crime in the 21st century.

In essence, the EMAS is a system for testing whether files are malicious, letting investigators see what the files are designed to do, and then share that centrally-stored information across different European Union member states.

After a file is uploaded by cybercrime experts from a member state, the file is executed "in a tightly controlled sandbox environment," which consists of virtualised and physical computers, according to one of the documents, which include a presentation and internal guides. From here, the EMAS tests all of the malware's activities, be that connecting to peer-to-peer networks, Command & Control centres (servers that a piece of malware sends stolen data to), or anything else.

A schematic of the EMAS system from the documents. Image: Europol

"If, for instance, a sample intends to spread itself via email, it has to contact an SMTP server to send that email," the document continues. "The connection attempt to TCP port 35 is detected and instead of opening a connection to the real server, the connection is redirected to a simulated mail server."

A birds-eye view diagram of the system's architecture is included in one of the documents obtained by Motherboard through an access request, which is analogous to the Freedom of Information Act in the United States. After being processed in the EMAS environment, the results of the analysis can be sent to the Secure Information Exchange Network Application (SIENA)—a tool for sharing intelligence between Europol, Member States and third parties, a Europol spokesperson told Motherboard.

The results also get sent to the the Europol Analysis System (EAS), which stores all of the data, and the Computer Forensic Network (CFN). The latter "provides the ability to filter and process relevant information from a large amount of computer data, while preserving the validity of the data as evidence or intelligence," the spokesperson said.

After analysis, the EMAS can compare the sample to information stored in its database, such as domain names and IP addresses. This sort of comparison allows investigators to see similarities between malware samples found anywhere throughout the European Union, and potentially reveal that malware which has appeared in, say, the UK and Germany, is likely being used by the same gang of cybercriminals.

"Once the malware is received and analysed by the sandbox, reports containing the behaviour of the malware are created almost instantly and the results sent back to the countries who submitted the malware," another of the documents reads.

The system has been used in some of the agency's most high profile investigations. In June of this year, a joint investigation team comprised of officials from six European countries, and supported by Europol and Eurojust, took down an Ukranian cybercriminal group suspected of attacking online banking systems with sophisticated malware.

"Europol has provided crucial support to the investigation since 2013 including handling and analysis of terabytes of data, and thousands of files in the Europol Malware Analysis System," according to a Europol press release.

In all, "186,094 files have been analysed in EMAS, out of which 38,562 were identified as malicious," Europol's website reads.

As for the future, the documents make it clear that the EMAS is a project that continues to develop, and the second iteration of the system will be available to crime-fighters by the end of the year. "The solution is dynamic and evolving so new functionalities can be constantly introduced," one of the document reads.