Malware is lightweight

As a solutions engineer in the industry, I recently had a discussion with a Security Analyst about the maximum file size that a Dynamic Analysis (sandbox) system should support to effectively deal with malware.

Representation of a skinny malware :)

I noticed that, sometimes, the expectation is to support even hundreds of megabytes for executables or exploitable-like files. However, if you pause for a moment and consider the key requirements of well-crafted malware, you will realize that:

  1. Malware is a Platform: Modern malware is built on penetration frameworks, requiring attackers to use multiple tools at different stages, from the initial compromise to achieving their final goal.

  2. Malware must be Stealthy: Attackers need to remain undetected and move quickly while generating as little noise as possible.

  3. Detection must be Evaded: Malware must minimize network traffic and implement evasion techniques to bypass detection at various levels.

Given these points, you can understand that large file sizes are not ideal for malware aiming to stay stealthy and undetected—especially during the initial exploitation and early post-exploitation stages. But let's be pragmatic and conduct a simple exercise:

Browse a public malware repository and analyse the average size of a malware sample.

I did this using my favorite public malware repository, VX-UNDERGROUND (https://vx-underground.org/). By summing the file sizes in the sample directories and dividing by the total number of samples, I performed a simple and classic calculation across different folders related to various malware families. The result? In most cases, the average size falls between 1 and 3 megabytes.

This finding aligns with what ChatGPT has to say on the topic:

The "Fat Guys"

Some malware like Remote Access Trojans (RATs), by their nature, provide attackers with various tools to control a compromised machine. These capabilities include access to the keyboard and mouse, browsing file directories, capturing the screen, and exfiltrating data. The inclusion of such a broad suite of functionalities in a single malware sample increases its size, often reaching tens of megabytes—sometimes up to 50 MB.

2 Key Takeaways

  • Malware is lightweight: More than 90% of malware samples in public repositories are under 5 MB in size.
  • Sandboxes and Dynamic Analysis Security Systems: A file size threshold of 100 MB looks more than sufficient for automated malware analysis.


Popular Posts