06:45 PM

Black Hat: Developer Aims To Make Attack Recovery More Intelligent

One company uses threat information, virtualization and analysis to build a better way to disinfect compromised systems

Companies that need to support a large number of users and help them recover from an epidemic spread of malware may get some help at the Black Hat USA security conference this year.

Click here for more of Dark Reading's Black Hat articles.

ReversingLabs, known for its static malware analysis tools and services, will release the File Disinfection Framework, an open-source project funded by the Defense Advanced Research Projects Agency (DARPA), at the Las Vegas conference next month. The framework aims to make developing custom disinfection tools much easier, by giving security technicians an advanced virtual machine and common building blocks, so that large organizations and service providers can better support their clients.

"Disinfection turns out to be one of the most complicated parts of the remediation process," says Mario Vuksan, CEO of the Cambridge, Mass., company. That's even more true for polymorphic file infectors that attempt to change the way they look and behave to fool antivirus and host-based intrusion detection software.

The company hopes that technical members of corporate information security teams will use the tools to better respond to mass compromises. Because the antivirus industry and other security firms have to prioritize their workload, smaller infections -- while still plaguing individual companies -- may not garner as much support as more widespread epidemics.

The File Disinfection Framework uses both static analysis and emulation in a virtual sandbox to allow users to collecting intelligence on and observe the infection capabilities of a specific piece of malware and then manipulate the malware in order to create a strategy for disinfection.

Tools such as the FDF go hand in hand with threat intelligence, says Vuksan. While companies can collect intelligence on the threat targeting their organization, turning that intelligence into action requires the right tools, he says.

"We hope that this allows users to produce better disinfectors and do it more quickly," he says.

[Defense alone won't stop an attacker from getting inside, so some organizations are looking at the age-old offensive strategy of deceiving corporate spies with bogus information or other trickery. See The Enterprise Strikes Back.]

While most enterprise security professionals will immediately jump to reinstalling the entire system so as to not take chances, there are many cases where disinfecting a file -- especially an important data file -- may be preferable. Internet service providers that offer support to their customers, for example, will often find that they have not made important backups of data.

"As a consumer, you are not going to want to re-image your machine just because you are infected," Vuksan says. "And for enterprises, if you have a mass file infector, what's going to happen to your IT team? They will likely all quit if they have to manually clean every system."

Dean De Beer, chief technology officer for malware analysis firm ThreatGRID, prefers the safety of re-imaging a system, but agrees that companies seeking more information on the threats in their network will benefit from the project.

"I don't think this is going to be in the hands of anyone except the very technical and the very smart, but that's where it should be," he says.

Building that technical aptitude in-house is another great way to use the toolset, says David Marcus, director of advanced research and threat intelligence for security firm McAfee, an Intel company.

"The more people you have that know how to reverse code and clean systems, the better you are arming them to be good at defense," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.