Concept of focused cyber hitsquads and Malware DNA
April 21, 2009
So Joe Stewart a researcher I admire for his willingness to reveal his botnet research to the general masses, especially through his top 10 lists of the largest. He has also done excellent research on more sinister malware such as Coreflood which has evolved over the years.
Apparently he is presenting some similiar concepts at RSA soon that I have been espousing here such as my cyber Special OPs forces targing cybercrime networks.
Here is a quote from his blog
“Finally, on Thursday I’ll be delivering my own presentation entitled “Demonetizing Botnets” at 2:10 PM. This talk outlines my ideas for how we should restructure our efforts at fighting not just botnets, but cybercrime in general, both long and short-term. In this presentation, I will introduce a concept I call “offense-in-depth”, which I believe is the only approach that can address most of the cybercrime problems we are currently facing, given the current environment with respect to law enforcement’s challenges in cyberspace and pervasive vulnerabilities in computing and networking. I’m not saying my plan is any kind of silver bullet, but I hope it becomes part of the arsenal of everyone out there who is attempting to stem the tide of malicious software and computer intrusion. If you are interested in hearing my take on these matters, please attend. If anything I say inspires you to action, please meet up with me after the talk, and we can discuss the issues further. Hope to see you there!”
I love some of the trade rags takes on his opinions. Titled…. (Joe I am behind you on this one.)
Researcher wants hacker groups hounded mercilessly
Botnet expert Joe Stewart says ‘special ops’ teams could thwart cybercriminals
A technology company employing some of the best and the brightest in the field just released an update to their product that actually implements an idea that I have been working on since late last year. Clearly many in the security industry have realized that we need a couple of good game changing concepts to take us to the next level. My focus was on how to change how we COMMUNICATE about malware. If we are all working on the same sheet of paper, then we can focus our efforts on other high payoff challenges.
The company is called HBGary lead by the guys that literally wrote the book on Rootkits.
HBGary seems to have done a good implementation job building Digital DNA features into their flagship product Responder Pro which is an excellent live memory analysis tool. More and more live memory analysis is critical to obtaining a full picture of what the malware does.
I have been researching similar concepts based on the extraction through observational analysis and generation of malware code DNA traits. The goal being to identify and classify malware characteristics (what it is) from its functions (what it does).
For example the fact that a piece of code packs itself to hide from Antivirus or hinder reversing is a characteristic. In and of itself it poses no threat. A piece of code that can read/write files to your system and execute programs is a dangerous functionality all around. That is a Function.
Possible implementation would involve creation of an Adobe Flex or HTML 5 based digital cyber dashboard which takes analyzed samples via backend systems, extracts automatically or manually the DNA, and created a signature for the malware that combined a representative string a bits that represented the DNA in combination with a hash and fuzzy hash signatures such as MD5, SHA-1, SHA-256, SHA-512, and SSDeep.
The dashboard generated a characteristic score and a functional score that resulted in an overall threat score.
The operational vision is to utilize this dashboard to describe the malware DNA in laymans terms so that cyber-operators and CIO types can RAPIDLY understand the threat and deal with it. Not try to understand a bunch of gobblygook.
The third component is an intelligence component that combines raw multi-disciplined private and open source intelligence on the bad guys that are behind the campaigns into digital dossiers.