Black Hat: Developer Aims To Make Attack Recovery More IntelligentOne company uses threat information, virtualization and analysis to build a better way to disinfect compromised systems
Companies that need to support a large number of users and help them recover from an epidemic spread of malware may get some help at the Black Hat USA security conference this year.
ReversingLabs, known for its static malware analysis tools and services, will release the File Disinfection Framework, an open-source project funded by the Defense Advanced Research Projects Agency (DARPA), at the Las Vegas conference next month. The framework aims to make developing custom disinfection tools much easier, by giving security technicians an advanced virtual machine and common building blocks, so that large organizations and service providers can better support their clients.
"Disinfection turns out to be one of the most complicated parts of the remediation process," says Mario Vuksan, CEO of the Cambridge, Mass., company. That's even more true for polymorphic file infectors that attempt to change the way they look and behave to fool antivirus and host-based intrusion detection software.
The company hopes that technical members of corporate information security teams will use the tools to better respond to mass compromises. Because the antivirus industry and other security firms have to prioritize their workload, smaller infections -- while still plaguing individual companies -- may not garner as much support as more widespread epidemics.
The File Disinfection Framework uses both static analysis and emulation in a virtual sandbox to allow users to collecting intelligence on and observe the infection capabilities of a specific piece of malware and then manipulate the malware in order to create a strategy for disinfection.
Tools such as the FDF go hand in hand with threat intelligence, says Vuksan. While companies can collect intelligence on the threat targeting their organization, turning that intelligence into action requires the right tools, he says.
"We hope that this allows users to produce better disinfectors and do it more quickly," he says.
[Defense alone won't stop an attacker from getting inside, so some organizations are looking at the age-old offensive strategy of deceiving corporate spies with bogus information or other trickery. See The Enterprise Strikes Back.]
While most enterprise security professionals will immediately jump to reinstalling the entire system so as to not take chances, there are many cases where disinfecting a file -- especially an important data file -- may be preferable. Internet service providers that offer support to their customers, for example, will often find that they have not made important backups of data.
"As a consumer, you are not going to want to re-image your machine just because you are infected," Vuksan says. "And for enterprises, if you have a mass file infector, what's going to happen to your IT team? They will likely all quit if they have to manually clean every system."
Dean De Beer, chief technology officer for malware analysis firm ThreatGRID, prefers the safety of re-imaging a system, but agrees that companies seeking more information on the threats in their network will benefit from the project.
"I don't think this is going to be in the hands of anyone except the very technical and the very smart, but that's where it should be," he says.
Building that technical aptitude in-house is another great way to use the toolset, says David Marcus, director of advanced research and threat intelligence for security firm McAfee, an Intel company.
"The more people you have that know how to reverse code and clean systems, the better you are arming them to be good at defense," he says.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.