Malware Reverse Engineering and Protecting the Client Base

I was on a sales call recently when a client requested an example of how our Security Engineering Research Team (SERT) provides specific security intelligence that results in the protection of the client base. This was a great question, and I wanted to take a moment to provide a real-world example of the value that SERT delivers to both the client base and the security community at large.

Malware Reverse Engineering

SERT performs ongoing malware and threat analysis, and regularly provides consumable threat intelligence to the rest of the Solutionary engineering teams. In one particular case, SERT obtained an image of a suspected infected machine residing on a client network. SERT performed a full analysis of the image and isolated the malware specific files. SERT then performed reverse engineering using advanced static analysis techniques to obtain forensic intelligence from the infected files (URLs, path locations, registry keys, etc.) In this particular case, SERT was able to discover the command and control IP to which the infected device would “phone home” for additional malicious instructions or updates. SERT further validated the forensic information obtained in the reverse engineering process prior to performing any countermeasure activities.

Protecting the Client Base

Once the specific malware countermeasure intelligence indicators were discovered from the malware files (to determine entry point, intent, and countermeasures), the intelligence was applied to protect the entire client base. To do this, SERT discussed the intelligence with our Security Engineering Team (SET) to apply the intelligence in the form of IDS/IPS signatures, ActiveGuard® Global rules, as well as ActiveGuard analytics. In this case, to protect the client, we created a specific IDS/IPS signature to detect any additional outbound activity to the bad “phone home” IP uncovered in our reverse engineering analysis. As a result of this signature update, we detected and isolated several other infected hosts in the client environment thus preventing this malware outbreak from spreading further. Needless to say, the client was quite happy with our analysis and threat detection capabilities.

To protect our Security Device Management clients, our Managed Device Team (MDT) pushed the updated IDS/IPS signature to all the clients for whom we manage IDS/IPS appliances. At the same time, SET added a global rule into our global analysis threat detection engines within the ActiveGuard infrastructure to detect patterns of activity associated with this “bad actor” across the entire client base. It should be noted that Solutionary maintains an extensive IP Reputation List of known bad actors (bad IPs/URLs and indicators) obtained through our ActiveGuard global analysis detection engines. Solutionary also subscribes to other third-party intelligent feeds. This information is dynamically added to our global threat detection analysis engines to provide advanced threat detection services for the entire client base.

In the end, SERT provided valuable security intelligence that ultimately protected the entire client base. SERT made us smarter.

Additional References

For additional information regarding reverse engineering techniques, please refer to following White Paper: “How Malware Analysis Benefits Incident Response”.

Also check out the SERT Awareness Report: “Black Hole Exploit Kit, Banking Trojans and ACH Transfers” and the SERT Q3 Threat Report October 2012.

Until Next Time