Review: Malware Investigator (iLEEP, FBI tool for investigating malware)

So, several months ago, I wrote about a tool that the FBI was going to make available for members of InfraGard, called Malware Investigator. This tool was set to provide members of law enforcement, and InfraGard to provide analysis on submitted malware. I said that I would provide a detailed write-up, regarding how useful the tool is, and how it helps me analyze found malware. I am happy to do that for you here; here is my review of Malware Investigator.

I submitted 3 malware samples, that I found via my SSH honeypot. Granted, these samples were compiled for execution on a MIPS based system, so all the other malware analysis tools proved to be relatively worthless, as most of them are only setup to run w32 (windows) binaries, and test the execution of that malware. I submitted these samples on 4/20, one at approx. 7:30 AM MDT, and the other two, later in the day, approx. 4:30 PM MDT.

As I am writing this post, on 4/23, at approx. 9:45 AM MDT, the analysis of all three files is still incomplete. To me, since these are sort of odd-ball files to submit (again, they are MIPS executables), I think a day is a reasonable amount of time to run the malware in a sandbox, and provide a report. However, at 3 days, and still going, I think this sort of analysis is taking far too long, for the service to be useful for malware hunters out there.

Depending on the output, and if it ever completes, I may, or may not provide a follow-up to this article, detailing how accurate the malware analysis at Malware Investigator was; it is something to write about.

The positive analysis of the files (just one included here) is that it does provide some initial decent details; however, what I’m really curious about, is attribution and correlation that the FBI provides me with (if any).

START EXECUTABLE INFORMATION

ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), statically linked, stripped

Section Name::

Section Size::0

Section Entropy::0.0

Section Address::0

Section Name:: .reginfo

Section Size::24

Section Entropy::1.45751874964

Section Address::180

Section Name:: .init

Section Size::72

Section Entropy::3.85408114471

Section Address::204

Section Name:: .text

Section Size::128256

Section Entropy::5.32139016311

Section Address::288

Section Name:: .fini

Section Size::56

Section Entropy::4.04831173795

Section Address::128544

Section Name:: .rodata

Section Size::8384

Section Entropy::5.31281073768

Section Address::128608

Section Name:: .eh_frame

Section Size::4

Section Entropy::0.0

Section Address::136992

Section Name:: .ctors

Section Size::8

Section Entropy::1.0

Section Address::136996

Section Name:: .dtors

Section Size::8

Section Entropy::1.0

Section Address::137004

Section Name:: .jcr

Section Size::4

Section Entropy::0.0

Section Address::137012

Section Name:: .data

Section Size::912

Section Entropy::2.98220118003

Section Address::137024

Section Name:: .got

Section Size::1076

Section Entropy::4.81891630417

Section Address::137936

Section Name:: .sdata

Section Size::4

Section Entropy::0.0

Section Address::139012

Section Name:: .sbss

Section Size::192

Section Entropy::3.53164822707

Section Address::139016

Section Name:: .bss

Section Size::113720

Section Entropy::3.41164157881

Section Address::139016

Section Name:: .comment

Section Size::4446

Section Entropy::3.50703035708

Section Address::139016

Section Name:: .gnu.attributes

Section Size::16

Section Entropy::2.7717822216

Section Address::143462

Section Name:: .mdebug.abi32

Section Size::0

Section Entropy::0.0

Section Address::143478

Section Name:: .pdr

Section Size::11488

Section Entropy::2.43542578362

Section Address::143480

Section Name:: .shstrtab

Section Size::148

Section Entropy::4.05547000495

Section Address::154968

END EXECUTABLE INFORMATION