Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:45 PM

Black Hat: Developer Aims To Make Attack Recovery More Intelligent

One company uses threat information, virtualization and analysis to build a better way to disinfect compromised systems

Companies that need to support a large number of users and help them recover from an epidemic spread of malware may get some help at the Black Hat USA security conference this year.

Click here for more of Dark Reading's Black Hat articles.

ReversingLabs, known for its static malware analysis tools and services, will release the File Disinfection Framework, an open-source project funded by the Defense Advanced Research Projects Agency (DARPA), at the Las Vegas conference next month. The framework aims to make developing custom disinfection tools much easier, by giving security technicians an advanced virtual machine and common building blocks, so that large organizations and service providers can better support their clients.

"Disinfection turns out to be one of the most complicated parts of the remediation process," says Mario Vuksan, CEO of the Cambridge, Mass., company. That's even more true for polymorphic file infectors that attempt to change the way they look and behave to fool antivirus and host-based intrusion detection software.

The company hopes that technical members of corporate information security teams will use the tools to better respond to mass compromises. Because the antivirus industry and other security firms have to prioritize their workload, smaller infections -- while still plaguing individual companies -- may not garner as much support as more widespread epidemics.

The File Disinfection Framework uses both static analysis and emulation in a virtual sandbox to allow users to collecting intelligence on and observe the infection capabilities of a specific piece of malware and then manipulate the malware in order to create a strategy for disinfection.

Tools such as the FDF go hand in hand with threat intelligence, says Vuksan. While companies can collect intelligence on the threat targeting their organization, turning that intelligence into action requires the right tools, he says.

"We hope that this allows users to produce better disinfectors and do it more quickly," he says.

[Defense alone won't stop an attacker from getting inside, so some organizations are looking at the age-old offensive strategy of deceiving corporate spies with bogus information or other trickery. See The Enterprise Strikes Back.]

While most enterprise security professionals will immediately jump to reinstalling the entire system so as to not take chances, there are many cases where disinfecting a file -- especially an important data file -- may be preferable. Internet service providers that offer support to their customers, for example, will often find that they have not made important backups of data.

"As a consumer, you are not going to want to re-image your machine just because you are infected," Vuksan says. "And for enterprises, if you have a mass file infector, what's going to happen to your IT team? They will likely all quit if they have to manually clean every system."

Dean De Beer, chief technology officer for malware analysis firm ThreatGRID, prefers the safety of re-imaging a system, but agrees that companies seeking more information on the threats in their network will benefit from the project.

"I don't think this is going to be in the hands of anyone except the very technical and the very smart, but that's where it should be," he says.

Building that technical aptitude in-house is another great way to use the toolset, says David Marcus, director of advanced research and threat intelligence for security firm McAfee, an Intel company.

"The more people you have that know how to reverse code and clean systems, the better you are arming them to be good at defense," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...