"REcon represents the most complete tool to recover actionable intelligence from malware, including how the malware installs and survives reboot, communicates to the Internet, the contents of decrypted buffers, and bypassing executable packing," said Greg Hoglund, CEO and founder of HBGary.
HBGary REcon: How It Works
Malware is growing increasingly complex and it's difficult to analyze with a variety of tools that are cobbled together. REcon, in conjunction with HBGary's Responder Professional, provides incident response teams a single tool that is forensically sound and easy to use. This new technology allows small security teams to automate analysis (typically outsourced in the past) giving them run-time information. For larger teams, it allows a deeper analysis and the ability to quickly correlate pertinent streams of information.
REcon's performance outclasses everything that is currently available in the market, operating orders of magnitude faster than any other known tracing solution. REcon is so fast that users can still interact with a program's GUI while at the same time single-step recording every instruction in that program - something that has never been possible before now. REcon supports advanced performance features when on native hardware, such as the use of the branch-trace mode on Intel processers.
REcon can record the entire lifecycle of a software program, from the first instruction to the last. All behavior is recorded, including all loaded DLL's, plugins, browser helper objects (BHO's), file system activity, network activity, and registry access. Users can configure additional tracks of data to be recorded in almost limitless ways. Any function point can be recorded, including DLL exported functions, and internal undocumented functions (aka API-spy type capability). Users can control the sampling behavior, including number and type of arguments to a call. The full control flow graph is recovered for a program, including all basic blocks and branch conditions, even branches not taken. The opcodes, top of stack, and register context can be captured at a single-step resolution. This allows the recovery of packed executables, such as those packed by ASProtect, ASPack, Armadillo, UPX, and even Themida. REcon operates entirely in kernel mode and remains hidden from many anti-debugger checks, including checks for kernel mode debuggers.
Beyond the recording capabilities, the data itself can be graphed and replayed in HBGary Responder Professional. A new track-control has been added to the graph that allows the user to interact with the recorded program timeline similar to the way they might interact with a recorded video or audio track. The user can graph individual tracks of behavior (such as networking), or they can graph just regions of behavior (such as only the decryption routine). Any region that can be graphed can also be placed into a separate layer and managed independently. All of the existing graph features that users expect from Responder Professional can also be applied to any recorded track of behavior, thus exposing an entirely new set of data that will augment existing analysis.
REcon is included in the latest version of HBGary Responder Professional the most comprehensive memory investigation and malware analysis platform available on the market today. HBGary Responder Professional customers, under the company's current maintenance program, will receive an upgrade to REcon free of charge until December 31st, 2009. After January 1, 2010, REcon will be available to HBGary Responder Professional customers for an additional charge.
About HBGary, Inc.
HBGary, Inc. was founded in 2003 by renowned security expert Greg Hoglund. Mr. Hoglund and his team are internationally known experts in the field of Windows internals, software reverse engineering, bug identification, rootkit techniques and countermeasures. Today HBGary specializes in developing advanced computer analysis solutions for Information Assurance (IA) analysts, Computer Emergency Response Teams (CERT's), and Computer Forensic Investigators to detect, diagnose, and respond to computer intrusions and other cyber crime activities. The company is headquartered in Sacramento with sales offices in the Washington D.C. area. HBGary is privately held. For more information on the company, please visit: http://www.hbgary.com.
For more information: