Thursday, February 21, 2013

MASTIFF: Automated Static Analysis Framework

Malware analysis is a process that begs to be automated. Messing up one step or running one tool incorrectly can cause you to have to restart cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 entire process. Fortunately, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are a number of automation frameworks or systems, such as Cuckoo or Threat Expert, that exist to help automate malware analysis.

While cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se automation frameworks are great, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y tend to focus on dynamic analysis (behavioral analysis); static analysis (characteristic analysis) is mostly left out. The static analysis techniques that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 frameworks do perform vary, but typically include hashing, strings extraction, some file-type specific tools, along with a couple ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r techniques. Additional static analysis programs or techniques usually have to be implemented on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir own.

To do this, analysts typically create a master static analysis script that runs all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tools desired against a file. However, if an analysis tool is run against a file type that it cannot analyze, such as a PE header analysis tool on a PDF, you run cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 risk of crashing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 analysis program and, in turn, your automation script.

As an incident responder and malware analyst, I came up against cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se issues all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time, so I started to look for a solution. Nothing existed to automate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 entire static analysis process and allow you to add in your own techniques.

That is why MASTIFF, an open source automated static analysis framework, was created. MASTIFF performs two functions for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 analyst:
  • The file type of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 file being analyzed is automatically determined.
  • Only those techniques which work on that file type are applied.
By automatically determining cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 file type for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 analyst and ensuring that only cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 static analysis techniques that work on that file type are run, analysts can be assured that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 risk of crashing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 automated process is lessened, and that only relevant data is returned.


MASTIFF works by utilizing plug-ins for both file-type detection and static analysis techniques. The decision to utilize plug-ins was two-fold:
  • The types of files analyzed and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 techniques available within MASTIFF can be easily expanded by adding new plug-ins.
  • MASTIFF is able to be "crowd-sourced".
The last reason was especially important. Anyone can create a new plug-in to add a new file type or analysis technique. As more people add plug-ins, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 more useful cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 framework becomes. To facilitate easier plug-in development, template, or skeleton, plug-ins have been included with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 project. In just a few minutes, someone can modify a few fields in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 template and have a new plug-in ready to go.

In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 coming weeks, I'll be posting information and tutorials related to MASTIFF, how to use it, how to create plug-ins for it, etc. Please let me know any questions you have on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 framework or cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is something specific that should be focused on.

Finally, I want to state that MASTIFF was funded through KoreLogic, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company I work for, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 DARPA Cyber Fast Track (CFT) program. If you are unfamiliar with CFT, I highly recommend looking at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir site and submitting a proposal. Its a great program, but you only have until April 1, 2013 to do so and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n no furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r submissions will be taken.

Tuesday, February 19, 2013

ShmooCon 2013

This past weekend I went to my first ShmooCon in Washington D.C. I have to say this was an experience that I was not expecting. I've been to many security conferences in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past, included RECon, BlackHat, GFIRST, and some SANS and OWASP conferences. ShmooCon ranks up cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 top 2 spots, if not one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best that I've been to.

The best thing about ShmooCon is that it has a small con feel to it, while having everything cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 big cons have (e.g. big name speakers, contests, prizes, lots of smart people). It also has a small con price - if you can get a ticket, its only going to cost you around $150.

I was also lucky enough to be selected as a speaker this year, presenting a talk on my newly open-sourced tool MASTIFF. As a speaker, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best run CFP processes I have ever used. After selection, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are constantly available for questions, have excellent moderators and are great in making sure you have what you need.

The talks at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conference were amazing. They are of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 highest quality and even cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ones I didn't like were full of good information. Since I was releasing MASTIFF cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first day I was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re, and I was freaking out about my talk (I was in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last speaking slot of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tracks), I didn't get to see all that I would have liked. However, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se stood out:

  • NSM and more with Bro Network Monitor by Liam Randall - This was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best talk of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conference IMO. Liam gave an excellent talk about what Bro is, how it works, and even how easy it is to extend it. His presentation was how all presentations should be - easy to follow and good at explaining a relatively complicated concept.
  • Crypto: You're doing it wrong by Ron Bowes -  Ron gave an excellent talk about some crypto attacks, how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can be performed, and even did 3 live demos (that didn't fail) that performed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se attacks. I'm not a crypto guy, but Ron's explanations of everything were easy to follow and entertaining. Plus he used The Call of Cthulhu as some of his encrypted text.
There were alot more that I saw that were excellent, and some that I unfortunately missed. Luckily, ShmooCon makes all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir recordings available online for free and should be up in a couple of weeks. I look forward to next year!