Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

8/24/2007
08:08 AM
50%
50%

Red Curtain Reveals Malware

Free tool helps expose malicious software by its behavior

4:08 PM -- Earlier this month, Mandiant, an incident response management services and solutions provider, released a free tool to assist incident response teams with identifying malware. It's a tool worth looking at. (See Mandiant Offers Free Software.)

Red Curtain, previously codenamed Caprica Six, examines files looking for anomalies that might indicate a malicious intent. In a world where antivirus software is confounded by exploits such as Storm -- which can repack itself every few minutes -- a tool such as Red Curtain is definitely welcome. (See Tool IDs Hidden Malware.)

One technique that malware authors use to evade antivirus products is using packers and crypters to compress and/or encrypt their malware. Since antivirus products primarily rely on signatures to detect malware, the simple act of packing or encrypting a file can prevent it from being detected.

When performing incident response, it is not uncommon to come upon unknown files that aren't detected by the latest virus signatures. At that point, how do you know if a file is good or bad? You could rule the suspicious file in a virtual machine and monitor its behavior, but some malware is designed to detect virtual environments and act differently to mask its true function. This is why Mandiant released Red Curtain.

Red Curtain scans files looking for characteristics that might indicate a packer or crypter was used, and then produces an overall score based on those characteristics. One of the more interesting things it searches for is entropy -- a measure of randomness which tends to be higher in compressed and encrypted files. While it is not a foolproof measurement -- users can compress and encrypt their own data -- but it is a very good indicator if you're dealing with an executable that is currently running with open ports on your system.

I've always been a packrat, and over the years, I've amassed a pretty good collection of suspicious files from the students (and family members) whose machines I've helped clean. Using Red Curtain, I scanned about 2,500 files to see what happened. Not every file was malicious, but most were -- they generally related to some sort of virus infection or compromise.

Almost all of the files I expected to score highly in Red Curtain did. The scoring is based on a 0.000 to 10.000 scale. Scores 0.7-0.9 are "somewhat interesting," 0.9 to 1.0 are "very interesting," and anything over 1.0 is "highly interesting." About 90 percent of the files I scanned scored over 0.8.

A tool like Red Curtain helps raise awareness that antivirus software can't detect everything. Hopefully, that's not a revelation to most security pros. But I can't tell you how many times I've heard, "Oh yeah, it's clean. I ran XYZ product." Red Curtain is a great tool to add to your incident response arsenal, and you can't beat the price.

— John H. Sawyer is a security geek on the IT Security Team at the University of Florida. He enjoys taking long war walks on the beach and riding pwnies. When he's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24259
PUBLISHED: 2021-05-05
The “Elementor Addon Elements� WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24260
PUBLISHED: 2021-05-05
The “Livemesh Addons for Elementor� WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24261
PUBLISHED: 2021-05-05
The “HT Mega – Absolute Addons for Elementor Page Builder� WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by ...
CVE-2021-24262
PUBLISHED: 2021-05-05
The “WooLentor – WooCommerce Elementor Addons + Builder� WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-priv...
CVE-2021-24263
PUBLISHED: 2021-05-05
The “Elementor Addons – PowerPack Addons for Elementor� WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scriptin...