06:45 PM

Black Hat: Developer Aims To Make Attack Recovery More Intelligent

One company uses threat information, virtualization and analysis to build a better way to disinfect compromised systems

Companies that need to support a large number of users and help them recover from an epidemic spread of malware may get some help at the Black Hat USA security conference this year.

Click here for more of Dark Reading's Black Hat articles.

ReversingLabs, known for its static malware analysis tools and services, will release the File Disinfection Framework, an open-source project funded by the Defense Advanced Research Projects Agency (DARPA), at the Las Vegas conference next month. The framework aims to make developing custom disinfection tools much easier, by giving security technicians an advanced virtual machine and common building blocks, so that large organizations and service providers can better support their clients.

"Disinfection turns out to be one of the most complicated parts of the remediation process," says Mario Vuksan, CEO of the Cambridge, Mass., company. That's even more true for polymorphic file infectors that attempt to change the way they look and behave to fool antivirus and host-based intrusion detection software.

The company hopes that technical members of corporate information security teams will use the tools to better respond to mass compromises. Because the antivirus industry and other security firms have to prioritize their workload, smaller infections -- while still plaguing individual companies -- may not garner as much support as more widespread epidemics.

The File Disinfection Framework uses both static analysis and emulation in a virtual sandbox to allow users to collecting intelligence on and observe the infection capabilities of a specific piece of malware and then manipulate the malware in order to create a strategy for disinfection.

Tools such as the FDF go hand in hand with threat intelligence, says Vuksan. While companies can collect intelligence on the threat targeting their organization, turning that intelligence into action requires the right tools, he says.

"We hope that this allows users to produce better disinfectors and do it more quickly," he says.

[Defense alone won't stop an attacker from getting inside, so some organizations are looking at the age-old offensive strategy of deceiving corporate spies with bogus information or other trickery. See The Enterprise Strikes Back.]

While most enterprise security professionals will immediately jump to reinstalling the entire system so as to not take chances, there are many cases where disinfecting a file -- especially an important data file -- may be preferable. Internet service providers that offer support to their customers, for example, will often find that they have not made important backups of data.

"As a consumer, you are not going to want to re-image your machine just because you are infected," Vuksan says. "And for enterprises, if you have a mass file infector, what's going to happen to your IT team? They will likely all quit if they have to manually clean every system."

Dean De Beer, chief technology officer for malware analysis firm ThreatGRID, prefers the safety of re-imaging a system, but agrees that companies seeking more information on the threats in their network will benefit from the project.

"I don't think this is going to be in the hands of anyone except the very technical and the very smart, but that's where it should be," he says.

Building that technical aptitude in-house is another great way to use the toolset, says David Marcus, director of advanced research and threat intelligence for security firm McAfee, an Intel company.

"The more people you have that know how to reverse code and clean systems, the better you are arming them to be good at defense," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.