Review: Malware Investigator (iLEEP, FBI tool for investigating malware)

So, several months ago, I wrote about a tool that the FBI was going to make available for members of InfraGard, called Malware Investigator. This tool was set to provide members of law enforcement, and InfraGard to provide analysis on submitted malware. I said that I would provide a detailed write-up, regarding how useful the tool is, and how it helps me analyze found malware. I am happy to do that for you here; here is my review of Malware Investigator.

I submitted 3 malware samples, that I found via my SSH honeypot. Granted, these samples were compiled for execution on a MIPS based system, so all the other malware analysis tools proved to be relatively worthless, as most of them are only setup to run w32 (windows) binaries, and test the execution of that malware. I submitted these samples on 4/20, one at approx. 7:30 AM MDT, and the other two, later in the day, approx. 4:30 PM MDT.

As I am writing this post, on 4/23, at approx. 9:45 AM MDT, the analysis of all three files is still incomplete. To me, since these are sort of odd-ball files to submit (again, they are MIPS executables), I think a day is a reasonable amount of time to run the malware in a sandbox, and provide a report. However, at 3 days, and still going, I think this sort of analysis is taking far too long, for the service to be useful for malware hunters out there.

Depending on the output, and if it ever completes, I may, or may not provide a follow-up to this article, detailing how accurate the malware analysis at Malware Investigator was; it is something to write about.

The positive analysis of the files (just one included here) is that it does provide some initial decent details; however, what I’m really curious about, is attribution and correlation that the FBI provides me with (if any).

MD5 a040d77fc5e0db8d0cc9d276bf91d941
SHA-1 0e09104957c296cb07dc2c1c455366bb672ebe5a
SHA-256 ede69575920048000b817797568c66bba98c595c8b9be15ed958108a340e9155
SSDeep
Filetype ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), statically linked, stripped
Filesize 155916 bytes

 

START EXECUTABLE INFORMATION
ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), statically linked, stripped
Section Name::
Section Size::0
Section Entropy::0.0
Section Address::0
Section Name:: .reginfo
Section Size::24
Section Entropy::1.45751874964
Section Address::180
Section Name:: .init
Section Size::72
Section Entropy::3.85408114471
Section Address::204
Section Name:: .text
Section Size::128256
Section Entropy::5.32139016311
Section Address::288
Section Name:: .fini
Section Size::56
Section Entropy::4.04831173795
Section Address::128544
Section Name:: .rodata
Section Size::8384
Section Entropy::5.31281073768
Section Address::128608
Section Name:: .eh_frame
Section Size::4
Section Entropy::0.0
Section Address::136992
Section Name:: .ctors
Section Size::8
Section Entropy::1.0
Section Address::136996
Section Name:: .dtors
Section Size::8
Section Entropy::1.0
Section Address::137004
Section Name:: .jcr
Section Size::4
Section Entropy::0.0
Section Address::137012
Section Name:: .data
Section Size::912
Section Entropy::2.98220118003
Section Address::137024
Section Name:: .got
Section Size::1076
Section Entropy::4.81891630417
Section Address::137936
Section Name:: .sdata
Section Size::4
Section Entropy::0.0
Section Address::139012
Section Name:: .sbss
Section Size::192
Section Entropy::3.53164822707
Section Address::139016
Section Name:: .bss
Section Size::113720
Section Entropy::3.41164157881
Section Address::139016
Section Name:: .comment
Section Size::4446
Section Entropy::3.50703035708
Section Address::139016
Section Name:: .gnu.attributes
Section Size::16
Section Entropy::2.7717822216
Section Address::143462
Section Name:: .mdebug.abi32
Section Size::0
Section Entropy::0.0
Section Address::143478
Section Name:: .pdr
Section Size::11488
Section Entropy::2.43542578362
Section Address::143480
Section Name:: .shstrtab
Section Size::148
Section Entropy::4.05547000495
Section Address::154968
END EXECUTABLE INFORMATION
Short URL: http://bit.ly/1Mj9SgU

Leave a Reply

Your email address will not be published. Required fields are marked *