Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

CrowdStrike Creates Collaborative Malware Reverse Engineering Platform

CrowdStrike Streamlines Malware Reverse Engineering With CrowdRE

Armed with $26 million in venture funding, security startup CrowdStrike has released a tool designed to make it faster to reverse engineer malicious files by encouraging researchers to work together on a cloud-based collaboration platform.

CrowdStrike Streamlines Malware Reverse Engineering With CrowdRE

Armed with $26 million in venture funding, security startup CrowdStrike has released a tool designed to make it faster to reverse engineer malicious files by encouraging researchers to work together on a cloud-based collaboration platform.

CrowdStrike

CrowdStrike has developed CrowdRE, a free platform that allows security researchers and analysts to collaborate on malware reverse engineering. In a recent blog post, Jason Geffner, a senior security researcher at CrowdStrike, demonstrated how CrowdRE could be used to analyze a malware sample.

“While a single analyst can statically reverse engineer a small downloader or dropper in a matter of minutes, it can take weeks or even months of man-hours to analyze a massive binary developed by a well-funded adversary,” Geffner wrote.

Just like major software applications, malware developers are working in teams to build the malicious software. Malware is increasing in complexity and growing in size, and the developers are also reusing code segments to speed up development. CrowdRE is adapting the collaborative model common in the developer world to make it possible to reverse engineer malicious code more quickly and efficiently, according to a presentation by Geffner and Tilmann Werner at RECON in Montreal, on June 15.

Collaborative reverse engineering can take two approaches, where all the analysts are working at the same time and sharing all the information instantly, or in a distributed manner, where different people work on different sections and share the results. This means multiple people can work on different parts simultaneously and the results can be combined to gain a full picture of the malware.

Geffner described how two analysts could collaborate using CrowdRE to reverse engineer a malware sample CrowdStrike researchers have dubbed “Comment Panda.” Comment Panda was part of the malware family behind the Shady RAT attacks revealed last year and is known to encode command-and-control commands inside HTML comment tags. One analyst could focus on functions related to auto-start-execution points and cryptography, while the second focuses on network communications, Geffner wrote.

During the process of analyzing the functions and lines of code in the malware, both analysts can regularly update their findings and annotations to a cloud database, and search the same database to see if the other had already analyzed a code snippet. In Geffner’s example, one analyst examined a cryptographic function, and when the second analyst came across a reference to that function in a network call, that analyst could view the details of what the previous analyst had already found.

Advertisement. Scroll to continue reading.

CrowdRE also offers fuzzy-matching of functions and type conflict resolution. Analysts would be able to matching functions across different variants of a given malware family, or matching functions from an older version with a newer version. The platform will eventually add social ratings so that researchers can see who the community thinks performs trusted and reliable work, Geffner wrote on the blog post.

Google is planning to add CrowdRE integration to BinNavi, a graph-based reverse engineering tool for malware analysis, and the plan is to integrate with other similar tools, according to Geffner’s presentation. Linux and Mac OS support is expected soon, as well.

For a detailed description of how CrowdRE can be used to reverse engineer malware, check out Geffner’s post. While it’s still in pre-beta, curious users can check out the platform at http://crowd.re

CrowdStrike launched publically earlier this year after former McAfee CTO George Kurtz, along with Dmitri Alperovitch (McAfee’s ex-VP of Threat Research), and Gregg Marston announced that the company had received its $26 million round of funding. In April, the company announced another high profile hire when former FBI executive Shawn Henry joined the company to lead its services division.  

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.