At the Virus Bulletin conference that took place in Seattle last week, the FBI introduced a tool designed to provide users with detailed technical information on malware.
In 2011, the FBI deployed a tool called the Binary Analysis Characterization and Storage System (BACSS). The tool provides technical information on malware functionality, which investigators and incident responders can use in their activities.
Since BACSS has been a success, the FBI decided to develop Malware Investigator, an unclassified automated malware analysis tool that can be used not only by other law enforcement agencies which might need it for cybercrime investigations, but also by researchers trying to understand the threat landscape, and private sector partners seeking to improve their cyberattack mitigation capabilities.
“Through Malware Investigator, the FBI will lead a collaborative effort with members of the law enforcement community, academia, and the private sector, to protect businesses deemed critical to the nation’s infrastructure. Malware Investigator will provide its users a trusted venue in which to investigate, analyze, study, and collaborate about malware threats,” the FBI said on the Malware Investigator website.
The agency believes such tools can be very useful because organizations that handle cyber security incidents must be able to quickly analyze suspicious files and share the results with other members of the community. In March, when the FBI presented the Malware Investigator, Unit Chief Steve Pandelides noted that the tool would also “provide the FBI a global view of the malware threat.”
At the Virus Bulletin conference, the FBI’s Jonathan Burns explained (PDF) that the tool provides users with the information they need to respond to incidents and further investigate, so that they don’t have to waste precious time waiting for the malware to be reverse engineered.
Malware Investigator is designed to analyze threats based on file hashes, correlation, comparison, virus scanning and sandboxing. In addition to a Web service, the FBI has also developed an API for entities that want to integrate the resource into existing systems, Burns said.
For the time being, Malware Investigator is only available to law enforcement via the Law Enforcement Enterprise Portal (LEEP). Private sector organizations will soon be able to access the service via InfraGard, the partnership between the FBI and the private sector.
It’s not a secret that the FBI is interested in collecting malware from multiple sources. Back in February, the agency announced that it was willing to pay for malware that would be used by the Investigative Analysis Unit (IAU) of the agency’s Operational Technology Division. The FBI said at the time that the collection of malware is “critical to the success of the IAU’s mission to obtain global awareness of malware threat.”
