CrowdStrike Streamlines Malware Reverse Engineering With CrowdRE
Armed with $26 million in venture funding, security startup CrowdStrike has released a tool designed to make it faster to reverse engineer malicious files by encouraging researchers to work together on a cloud-based collaboration platform.
CrowdStrike has developed CrowdRE, a free platform that allows security researchers and analysts to collaborate on malware reverse engineering. In a recent blog post, Jason Geffner, a senior security researcher at CrowdStrike, demonstrated how CrowdRE could be used to analyze a malware sample.
“While a single analyst can statically reverse engineer a small downloader or dropper in a matter of minutes, it can take weeks or even months of man-hours to analyze a massive binary developed by a well-funded adversary,” Geffner wrote.
Just like major software applications, malware developers are working in teams to build the malicious software. Malware is increasing in complexity and growing in size, and the developers are also reusing code segments to speed up development. CrowdRE is adapting the collaborative model common in the developer world to make it possible to reverse engineer malicious code more quickly and efficiently, according to a presentation by Geffner and Tilmann Werner at RECON in Montreal, on June 15.
Collaborative reverse engineering can take two approaches, where all the analysts are working at the same time and sharing all the information instantly, or in a distributed manner, where different people work on different sections and share the results. This means multiple people can work on different parts simultaneously and the results can be combined to gain a full picture of the malware.
Geffner described how two analysts could collaborate using CrowdRE to reverse engineer a malware sample CrowdStrike researchers have dubbed “Comment Panda.” Comment Panda was part of the malware family behind the Shady RAT attacks revealed last year and is known to encode command-and-control commands inside HTML comment tags. One analyst could focus on functions related to auto-start-execution points and cryptography, while the second focuses on network communications, Geffner wrote.
During the process of analyzing the functions and lines of code in the malware, both analysts can regularly update their findings and annotations to a cloud database, and search the same database to see if the other had already analyzed a code snippet. In Geffner’s example, one analyst examined a cryptographic function, and when the second analyst came across a reference to that function in a network call, that analyst could view the details of what the previous analyst had already found.
CrowdRE also offers fuzzy-matching of functions and type conflict resolution. Analysts would be able to matching functions across different variants of a given malware family, or matching functions from an older version with a newer version. The platform will eventually add social ratings so that researchers can see who the community thinks performs trusted and reliable work, Geffner wrote on the blog post.
Google is planning to add CrowdRE integration to BinNavi, a graph-based reverse engineering tool for malware analysis, and the plan is to integrate with other similar tools, according to Geffner’s presentation. Linux and Mac OS support is expected soon, as well.
CrowdStrike launched publically earlier this year after former McAfee CTO George Kurtz, along with Dmitri Alperovitch (McAfee’s ex-VP of Threat Research), and Gregg Marston announced that the company had received its $26 million round of funding. In April, the company announced another high profile hire when former FBI executive Shawn Henry joined the company to lead its services division.