Pierluigi Paganini
October 01, 2014
The FBI has opened its Malware Investigator portal to industry in order to information sharing on this type of cyber threat and to improve incident response in case of attacks against. The FBI hopes to speed up investigation process in case of attack and allow private companies to autonomously respond to infection based on a new strain of malware without heavy reverse-engineering loads.
“Malware Investigator is a tool that provides users the ability to submit suspected malware files and within as little as an hour, receive detailed technical information about what the malware does and what it may be targeting.” states the official Malware Investigator portal.
During the ceremony for the launch of the Malware Investigator portal, the Information crime unit chief Steve Pandelides explained the positive impact for both law enforcement and the private sector. Private companies will have more information related to the specific infection and will be able to quickly mitigate the threat, on the other side the FBI will have the opportunity to assess real time the incident and monitor their evolution in the various industries.
“After submission, the report can get turned around in a matter of minutes to a matter of hours,” Pandelides said. “It will enable our private partners to protect their company’s networks and help our state and local law enforcement partners further their investigations. “It will also provide the FBI a global view of the malware threat.”
Malicious codes submitted to the Malware Investigator portal would be correlated against other submissions and analyzed by the FBI’s intelligence which will produce detailed reports. Initially, it will work for Windows malware and it would be expanded to collect also other families of malicious code. This kind of analysis has an immense value for malware analysts that could be able to track the evolution of malicious code in time, and track capabilities of APT and hackers behind the malicious campaign.
Recently I introduced you the excellent work done by the independent researcher Brandon Dixon which has analyzed for years the metadata on submissions to VisusTotal service identifying patterns related to many bad actors.
“The analysis conducted by Dixon on has an immense value, from the observation of VirusTotal submission over the time it is possible to understand how hackers work, which improvement they have made for their code and which is their cyber capabilities. These information allows analysts to track a profile of the threat actors which could help to solve problem of attribution in case of attack, improve the detection capabilities and prediction of further offensives.” I wrote.
Malware would be analyzed in part through fuzzy hashing including section hashing, virus scanning cluster, file system modification, sandboxing and others.
The FBI opened API access for organizations which plan to to integrate the system into their architecture, in this way private entities could benefit of the research made by the FBI with its analytic tools, including an automated malware analysis system, known as Binary Analysis Characterization and Storage System (BACSS), that is now used by the bureau enterprise wide.
The BACSS system provides the FBI’s investigators and security experts with technical information about the malicious code used in the attack as well as correlation with other infections.The Bureau’s Jonathan Burns explained during the Virus Bulletin conference in Seattle last week that based on the success of BACSS, the FBI approved the development of a second unclassified malware analysis system, Malware Investigator.
As explained by law enforcement the FBI began manual malware analysis in 1998 and over subsequent years it has designed its own tools to analyze the threats.
The Malware Investigator portal will help the FBI to raise awareness and share the results of its research with industry.
(Security Affairs – Malware Investigator portal, FBI)
