News Releases3 min read

Carbon Black Threat Analysis Unit (TAU) Launches “Binee,” an Open-Source Binary Emulator for Malware Researchers at DEF CON 27

LAS VEGAS, Aug. 10, 2019 (GLOBE NEWSWIRE) — DEF CON 27 — Carbon Black (NASDAQ: CBLK), a leader in cloud-native endpoint protection, today announced the launch of “Binee,” an open-source binary emulator that bridges the gap between static and dynamic analysis of real-world malware. Binee empowers researchers to extract run-time data from binaries at a cost, speed and scale previously only possible with static analysis tools, opening up a wealth of run-time malware data for behavioral analysis and machine learning applications.

Carbon Black’s Threat Analysis Unit (TAU) researchers Kyle Gwinnup (@switchp0rt) and John Holowczak (@skipwich) revealed the tool, whose name is short for “Binary Emulation Environment,” during their presentation, “Next Generation Process Emulation with Binee” at DEF CON 27 in Las Vegas on Saturday, August 10.


Click here to access “Binee” via GitHub.


Malware detection through standard static analysis has become increasingly difficult and researchers are becoming more reliant on dynamic analysis techniques to understand the behavior of the malware they are studying. Unfortunately, dynamic analysis is costly and time-consuming, meaning only a very small portion of it can be assessed in this way. Binee addresses this gap – delivering run-time analysis of malware at the speed and cost of static analysis through mock process emulation.

The ability to emulate x86 and other architectures has been around for some time – malware analysts have several tools readily available in the public domain. However, most of the tools stop short of full emulation, either halting or doing strange things when emulating library functions or system calls not implemented in the emulator.

Binee creates a nearly identical Windows process memory model inside the emulator, including dynamically loaded libraries and other Windows process structures. Binee mimics much of the OS kernel and outputs a detailed description of all function calls with human readable parameters throughout the duration of the process, providing greater insight into a malware’s API calls and other IOCs than static analysis. Binee offers the ability to extract features of a binary that were only visible to dynamic binary analysis, with a cost closer to that of static analysis.

The team has designed the tool with two primary use cases in mind. First, for data extraction at scale with a cost and speed similar to common static analysis tools and, second, for malware analysts that need a custom operating system and framework without the overhead of spinning up various configurations of virtual machines.

“Binee can be used as a critical part of a malware analysis funnel – allowing security professionals to identify and analyze behavioral attributes of malware,” the researchers said. “This, in turn, opens up a huge new data set for behavioral analysis and machine learning that improves detection capabilities. We’ve decided to open source this tool because building a Windows emulator is hard and, due to the immense value it provides malware researchers, we want more people working on it, accelerating development and driving a more complete emulator, faster.”

Currently, Binee can run on Windows, OS X, and Linux.


Click here to access “Binee” via GitHub.


About Carbon Black

Carbon Black (NASDAQ: CBLK) is a leader in cloud-native endpoint protection dedicated to keeping the world safe from cyberattacks. The CB Predictive Security Cloud® (PSC) consolidates endpoint protection and IT operations into an endpoint protection platform (EPP) that prevents advanced threats, provides actionable insight and enables businesses of all sizes to simplify operations. By analyzing billions of security events per day across the globe, Carbon Black has key insights into attackers’ behaviors, enabling customers to detect, respond to and stop emerging attacks.

More than 5,600 global customers, including approximately one third of the Fortune 100, trust Carbon Black to protect their organizations from cyberattacks. The company’s partner ecosystem features more than 500 MSSPs, VARs, distributors and technology integrations, as well as many of the world’s leading IR firms, who use Carbon Black’s technology in more than 500 breach investigations per year.

Carbon Black and CB Predictive Security Cloud are registered trademarks or trademarks of Carbon Black, Inc. in the United States and/or other jurisdictions.

Ryan Murphy, Carbon Black
Director of Global Communications