One of the things sorely lacking in the industry is a reliable standardized index for the weaponization rating of malware.  Security vendors are typically overwhelmed/AndOr to Lazy to do this in a capitalistic bubble they call their business plan.  Malware analysts such as myself have seen this obvious need for a while now.  This Rating system applies to Pardon the hype buzz wordz but APT, targeted attacks, advanced obfuscation and protection tools, and cybercrime banking malware alike.  In the end they all ‘mostly’ implement into their design some type of hopefully advanced mechanisms to either circumvent host hardening, exploit prevention mechanisms, network detection and host detection.  They also implement highly advanced anti-analysis and obfuscation – armoring techniques.  This list goes on and on.  However  there is no standard for this and not much debate so I am proposing the following. 

WEAPONIZATION INDEX Scoring System for Malware

A Malware Weaponization Index is calculated to indicate the level of sophistication and advanced techniques leveraged to avoid detection, achieve persistence, maintain survivalbility, and prevent remediation along with an assessment on the precisness of organizational and informational targeting, and the sophistication of its propogation and exploitation vectors such as code exploiting 0-day vulnerabilities. This will help in supporting Triage Operations for analysis such as dealing with APT, highly customized code, or advanced botnets.

Each of these categories is given a weighted rating culminating in an overall score.  As techniques become more mainstream and commonplace, or out of date they drop off the scale and new techniques are added. 

  • Percentage of custom developed code versus code reuse
  • Number of exploitable vulnerabilities in the malcode
  • Number of software development flaws
  • Percentage optimized to inefficient code
  • Use of advanced rootkit techniques, Direct Kernel Object Modification DKOM, malicious hypervisors
  • Encryption robustness evaluation (XOR versus AES, RC5, Public/Private key)
  • Usage of code integrity checking
  • Awareness of operation in virtualized or sandbox environments
  • Implementation of attacks against custom or little used software
  • Implementation of highly advanced anti-debugging techniques
  • Custom targeting of narrowly focused data sets (automatic searching for critical keyword based content)
  • Implementation custom code packing techniques
  • Implementation of virtualized packers
  • Awareness of hypervisor monitoring
  • Malware that runs completely from memory
  • Malware that is designed to foil memory forensics
  • Malware that protects its critical data such as encryption keys in memory
  • Malware implements destructive or highly disruptive capabilities
  • Malware that armors itself against inspection and hooking techniques
  • Malware that utilizes secure deletion techniques to foil disk based forensics
  • Malware that runs in the kernel using little know native functions
  • Malware that uses unique and innovative persistence techniques
  • Malware developed in languages not commonly used
  • Level of sophistication in metamorphic and polymorphic techniques
  • Level of detection based on AV scanning
  • Any hardware based embedded attacks such as Cisco routers, wireless infrastructure
  • Any exploits against real time operating systems, or weapons platforms

So the tranference of data into information, and information into knowledge that operational people can use to better defend and respond to malware is critical.  Assuming that the concept of a centralized Malware DNA database can get off the ground, and we dont have 50 different competing versions, the next logical step is crafting an operational Vision to unify the concept and actually make it useful. 

Here is an overview of one such method.

The Crucial “Digital Genome Sequencing Methodology” advances the established highly technical field of malware analysis by revolutionizing the current operational methods for communicating, collaborating, and sharing critical intelligence about malicious code. This new communications model is comprised of the following key components:

  • A Digital Genome Sequence data representation standard collaboratively established through an expert network of malicious code analysts and implemented as a unique binary bitstream for the description of malware along with its hash and fuzzy hash signatures.
  • A knowledge base repository of malware DNA traits comprising characteristics and functions. Characteristics are what the malware looks like, functions represent the potentially hostile effects that can impact operations.
  • An XML Malware DNA Trait data schema to parse the malware bitstream and represent it to applications for operational use. This schema will translate the bitstream into technical intelligence by presenting detailed information about each trait.
  • A distributed Malware Intelligence Fusion Dashboard application implements the XML schema and communicates the analytical information to the operator as an intelligence dossier about the malware sample.
  • A Malware Analyst Workbench component within the dashboard will allow analysts to retrieve a malware sample during analysis and author the digital genome sequence data by selecting DNA traits as they are discovered allowing for constant sample refinement in collaboration with other analysts who can securely discuss the markup process.
  • The Malware Dossier is constructed of DNA traits fused together with previously derived cyber-intelligence related to that sample and delivered as analytical product for total situational awareness.
  • An Operational Impact Score is generated for the cyber-operator based on a weighted scoring algorithm that evaluates the likelihood of code being malicious based on its characteristics, functions, and historical cyber-intelligence compared to its delivery vector and operational targeting of critical assets, organizations, data, or operations.

This “Offense informs Defense” approach allows for commanders to effectively plan for agile cyber-defense and conduct precise cyber-targeting in support of counter-force and counter-intelligence actions.

The collaborative approach to analysis and communication of malware DNA traits is the only realistic and scalable solution to a critical national security problem that threatens to blunt the ability to protect national interests and erosion of the scientific and technological advantage gained through expensive research and development.

Any knowledgebase is only as good as the collaborative work that is entered into it by the hardworking and pioneering analysts that currently research new malware tactics, techniques, and procedures.  I will be issuing this invitation to reversers and analysts that I have respected and read about while doing my research.  It is my hope that a small portion of these researchers will accept this role and help guide the open source generation of the worlds largest malware DNA knowledge base.

Here is the list in no particular order: 

  • Phil Wallisch – HBGary
  • Lorenzo Kucaric – Crucial Security
  • Michael Troutman – Crucial Security
  • Nick Harbor – Mandiant
  • Jorge Mieres
  • Tom Liston
  • Giuseppe Bonfa (Evil Cry)
  • Frank Boldewin
  • Alex Lanstein – Fireeye
  • Atif Mushtaq – Fireeye
  • Julia Wolf – Fireeye
  • Dider Stevens
  • Paul Royal
  • Danny Quist – Offensive Computing
  • Marco Cova
  • Ero Carrera
  • Joe Stewart – SecureWorks
  • Anushree Reddy
  • Dancho Danchev
  • Peter Kleissner
  • Ivan Kirillov – MITRE MAEC
  • Dr. Michael VanPutte – DARPA Cyber Genome

This list is not complete, and will be enhanced based on recommendation from other analysts and researchers.  There is also standing invite to all AntiVirus community researchers that do this for a living and have seen these techniques and tricks for years, yet have never had an effective way to communicate these traits in a standardized fashion.  Now here is your chance! 

Post a reply here if your interested in being on the board.

This is a test of a development prototype for the identification and submission of Malware DNA Traits into a centralized Knowledgebase.  This will be a collaborative industry effort.  The industry has recognized and validated the need for this.  There are several excellent groups that are adopting the concepts of malware DNA.  Here is a sampling.  The fact that pools of research money have been and are still being put into solving this problem, especially under DARPA, demonstrates how challenging a realization of this will be.

  • HBGary – feature in their Responder Pro – Live memory analysis toolset
  • Harris Corp. – - Digital Genome Sequencing Methodology
  • MITRE –
  • IEEE Standards Association – (blog post and )
  • Defense Advanced Research Projects Agency (DARPA) Strategic Projects Office – –

So a researcher I admire for his willingness to reveal his to the general masses, especially through his top 10 lists of the largest.  He has also done excellent research on more sinister malware such as Coreflood which has evolved over the years.

motorcycle-160

Apparently he is presenting some similiar concepts at RSA soon that I have been espousing here such as my cyber Special OPs forces targing cybercrime networks.

Here is a quote from his

“Finally, on Thursday I’ll be delivering my own presentation entitled “Demonetizing Botnets” at 2:10 PM. This talk outlines my ideas for how we should restructure our efforts at fighting not just botnets, but cybercrime in general, both long and short-term. In this presentation, I will introduce a concept I call “offense-in-depth”, which I believe is the only approach that can address most of the cybercrime problems we are currently facing, given the current environment with respect to law enforcement’s challenges in cyberspace and pervasive vulnerabilities in computing and networking. I’m not saying my plan is any kind of silver bullet, but I hope it becomes part of the arsenal of everyone out there who is attempting to stem the tide of malicious software and computer intrusion. If you are interested in hearing my take on these matters, please attend. If anything I say inspires you to action, please meet up with me after the talk, and we can discuss the issues further. Hope to see you there!”

I love some of the . Titled….    (Joe I am behind you  on this one.)

Researcher wants hacker groups hounded mercilessly

Botnet expert Joe Stewart says ‘special ops’ teams could thwart cybercriminals

These concepts I have discussed in great depth in some of my earlier posts such as our Spotlight Shine Bright series, and my I call Shenanigans, and BBC Wussy Robin Hood articles.

A technology company employing some of the best and the brightest in the field just released an update to their product that actually implements an idea that I have been working on since late last year.  Clearly many in the security industry have realized that we need a couple of good game changing concepts to take us to the next level.  My focus was on how to change how we COMMUNICATE about malware.  If we are all working on the same sheet of paper, then we can focus our efforts on other high payoff challenges.

The company is called lead by the guys that literally wrote the book on Rootkits.

etbadge

HBGary seems to have done a good implementation job building Digital DNA features into their flagship product Responder Pro which is an excellent live memory analysis tool.   More and more live memory analysis is critical to obtaining a full picture of what the malware does.

dna2

I have been researching similar concepts based on the extraction through observational analysis and generation of malware code DNA traits.  The goal being to identify and classify malware characteristics (what it is) from its functions (what it does).

For example the fact that a piece of code packs itself to hide from Antivirus or hinder reversing is a characteristic.  In and of itself it poses no threat.  A piece of code that can read/write files to your system and execute programs is a dangerous functionality all around.  That is a Function.

Possible implementation would involve creation of an Adobe Flex or HTML 5 based digital cyber dashboard which takes analyzed samples via backend systems, extracts automatically or manually the DNA, and created a signature for the malware that combined a representative string a bits that represented the DNA in combination with a hash and fuzzy hash signatures such as MD5, SHA-1, SHA-256, SHA-512, and SSDeep.

The dashboard generated a characteristic score and a functional score that resulted in an overall threat score.

The operational vision is to utilize this dashboard to describe the malware DNA in laymans terms so that cyber-operators and CIO types can RAPIDLY understand the threat and deal with it.  Not try to understand a bunch of gobblygook.

The third component is an intelligence component that combines raw multi-disciplined private and open source intelligence on the bad guys that are behind the campaigns into digital dossiers.

Follow

Get every new post delivered to your Inbox.