now browsing by tag


How broken is Malware Investigator?

Malware Investigator - Broken

I have been steadily using Malware Investigator since its public debut in early March of 2015.

I have grown more and more upset with the service over this time period, and in the end, I’ve realized its not providing me any more of a service, than what is being provided via cuckoo, virus total, or malwr. Furthermore, even with some of the early on problems faced by malwr, I still believe that malwr is more available than the Malware Investigator tool is.

Problems experienced using Malware Investigator:

1) Downtime – Their servers are often down outside normal business hours, and even down sometimes during business hours. Often times, the SAML authentication that occurs between the InfraGard website and Malware Investigator fails, or I get redirected to various error pages at Malware Investigator.

2) Processing Time – It often takes an insane amount of time to analyze my traffic. For the majority of the malware that I have submitted to their website, I would guess that the mean time to analyze is approaching a week and a half. I feel that they should have enough resources at their disposal to process malware faster than 1.5 weeks.

3) Correlations – This is the part that really got me excited to use Malware Investigator. However, it seems as if it is a little bit of a misnomer. I had thought, that it would allow me to compare the malware I find, and compare it to other malware used in higher profile breaches / incidents, and it would alert me to that (with a certain level of discretion of course, understanding different classification levels of information provided by the FBI). Unfortunately, correlations generally gives you the ability to see other usernames of people that have uploaded that same piece of malware.

4) General Brokenness –

a) My profile has become littered with malware that I never submitted. There are a number of .dll files littering my screen that has had analysis performed against it (supposedly), that I never submitted.

b) I can’t get the proper listing of malware that I submitted to the site, unless I happen to remember the name of the malware that I submitted. The general overview, where you should be able to browse all the malware you submitted, however, that is completely broken for me, and the only way to find the malware I submitted, is if I happen to remember the name of the malware that I submitted; so it seems the search process still works, however, the listing of malware doesn’t.

I will point out, the single feature I like at Malware Investigator, and the only reason I still use it. I use it to analyze all the linux, unix, mips, and other non-windows malware that I am able to collect. That is the single weakness of both malwr and VirusTotal, is that they will not, or maybe properly said, do not have the ability to analyze the various linux/unix/mips/whatever malware variants that I upload.

So, with all these problems I have experienced, I ask the question, “How broken is Malware Investigator?” And, “Is Malware Investigator broken beyond belief?”

Do you think that malwr and VT should start accepting, and being able to process linux malware, or does it represent such a low number of infections, that it would be going too far? Let me know, by posting a comment down below.

Please leave a comment, let me know if you use Malware Investigator, if you don’t, and why; I want to hear other peoples reaction to Malware Investigator.

Review: Malware Investigator (iLEEP, FBI tool for investigating malware)

So, several months ago, I wrote about a tool that the FBI was going to make available for members of InfraGard, called Malware Investigator. This tool was set to provide members of law enforcement, and InfraGard to provide analysis on submitted malware. I said that I would provide a detailed write-up, regarding how useful the tool is, and how it helps me analyze found malware. I am happy to do that for you here; here is my review of Malware Investigator.

I submitted 3 malware samples, that I found via my SSH honeypot. Granted, these samples were compiled for execution on a MIPS based system, so all the other malware analysis tools proved to be relatively worthless, as most of them are only setup to run w32 (windows) binaries, and test the execution of that malware. I submitted these samples on 4/20, one at approx. 7:30 AM MDT, and the other two, later in the day, approx. 4:30 PM MDT.

As I am writing this post, on 4/23, at approx. 9:45 AM MDT, the analysis of all three files is still incomplete. To me, since these are sort of odd-ball files to submit (again, they are MIPS executables), I think a day is a reasonable amount of time to run the malware in a sandbox, and provide a report. However, at 3 days, and still going, I think this sort of analysis is taking far too long, for the service to be useful for malware hunters out there.

Depending on the output, and if it ever completes, I may, or may not provide a follow-up to this article, detailing how accurate the malware analysis at Malware Investigator was; it is something to write about.

The positive analysis of the files (just one included here) is that it does provide some initial decent details; however, what I’m really curious about, is attribution and correlation that the FBI provides me with (if any).

Read the rest of this page »

Malware Investigator released

As of today, the FBI/U.S. Government’s own Malware Investigator tool has been released to a wider audience of people. I believe all members of Infragard, along with the select few people offered it before this wider release.

I’m going to be loading it up with some samples that I have, and test out the tool, and determine if it can assist with forming details about malware.

I will update the blog in the next couple of days, and provide details to my experience in using the Malware Investigator tool.

Dave Shackleford’s rant against Security Conferences – Rethinking the Security “Con”


Dave Shackleford, who is a very respected security consultant; who I personally respect a lot; recently had a “rant” against security conferences, that he posted on his website (see source above).

See the contents of the first couple of paragraphs of his post:

I realized a while back that I had lost the zeal to attend security conferences. I’ve been attending security conferences for a long damn time, as many of you have too. DEF CON, RSA, Shmoo, a whole $HIATLOAD of B-Sides, SANS of course, etc. Lots of smaller ones here and there, too (logistics have prevented me from getting to Derby yet, which makes me a little sad). The number of security conferences being held is off the chart. If you take a look at SECore, you’ll see just how many conferences are going on anywhere in the world at one point or another.

I think it’s gotten out of hand, honestly. Not because security cons are a bad thing, truth be told. Because we’re saying the same damn thing at all of them. The themes are the same, it’s a lot of the same people talking, the talks sometimes even say the exact same thing in different language. I can hear the criticism now. “Shack, that’s bullshit. We learn things at cons.” Mmmm hmmm. Sure you do. You hear what people say, you may find it fascinating, but very rarely will it make an impact on what you do day-to-day. Especially the heaping quantities of “Internet of Things” flaws and “sky is falling” talks about how doomed we all are when our thermostat becomes sentient, remotely takes over our cars, and we all die. Get a grip. It’s interesting, but we have major problems today, they’re a lot damn simpler than any of that “forward looking research”, and we’re still sucking ass at the basic stuff.

If you can’t lock down your desktops, what the hell are you doing listening to someone talk about malware reversing and shellcode? If you can’t detect a freaking port scan, let alone a DNS C2 channel, why are you waiting hours in line to hear a talk about hijacking car internals? I am a true believer in lifelong learning, so learning something just for the sake of learning is A-OK with me, I get it. But cons aren’t really helping us accomplish anything, unless they are straight-up training cons. And I don’t mean training your livers, since most cons involve staggering quantities of alcohol. . .


I agree almost completely with most of the statements Dave makes here; however, I have a couple comments/disagreements with a couple of the points he brings up.

I for instance, have a hard time connecting with people in the information security realm. While there are some great local security groups, they meet, maybe monthly, but often times, meetings get canceled. Also, like many others I have my family. Often times, I find it easier to go out of town, to attend a conference, where my wife can prepare the time with my son, and where she doesn’t always try and interfere with the time I spend with these people. For that instance, I almost think it is easier to travel out of town, rather than go to a meeting that is 1 hour away.

I would consider myself maybe 75% blue team, and 25% red team, type experience and work experience, etc. . . So, I don’t consider myself a 100% pen-tester; and most of my work experience I look back to my experience as a defender (ala Blue team). I find it an important detail to understand what both the attacker and defender are doing, and how to “fix” problems that may occur.

I also think that it is somewhat important to discuss where we are failing. If I discuss where I/my organization is failing, maybe others have been in a similar situation and have overcome that certain challenge. Not a complete waste of time, but maybe there is something that can help me. It is nice to understand the threat landscape, and see where organizations are getting hit, and how they are getting hit; and developing a way to overcome those challenges.

Anyways, check out more at Dave Shackleford’s blog.

More about Dave:



USB has a huge security problem that could take years to fix


In July, researchers Karsten Nohl and Jakob Lell announced that they’d found a critical security flaw they called BadUSB, allowing attackers to smuggle malware on the devices effectively undetected. Even worse, there didn’t seem to be a clear fix for the attack. Anyone who plugged in a USB stick was opening themselves up to the attack, and because the bad code was residing in USB firmware, it was hard to protect against it without completely redesigning the system. The only good news was that Nohl and Lell didn’t publish the code, so the industry had some time to prepare for a world without USB.


As of this week, that’s no longer true. In a joint talk at DerbyCon, Adam Caudill and Brandon Wilson announced they had successfully reverse-engineered BadUSB, and they didn’t share Nohl and Lell’s concerns about publishing the code. The pair has published the code on GitHub, and demonstrated various uses for it, including an attack that takes over a user’s keyboard input and turns control over to the attacker. According to Caudill, the motive for the release was to put pressure on manufacturers. “If the only people who can do this are those with significant budgets, the manufacturers will never do anything about it,” he told Wired‘s Andy Greenberg. “You have to prove to the world that it’s practical, that anyone can do it.”

Adam Caudill and Brandon Wilson’s DerbyCon presentationStill, the net effect is unlikely to be a push for USB security. As long as attackers can reprogram USB firmware, attacks like this will be a serious threat. The only way to fix the vulnerability is a new layer of security around firmware, but that would mean a full update to the USB standard itself, which mean years of insecurity. However the industry responds, we’re likely to be living with it for a long, long time.

In the meantime, any time you plug a USB drive into your computer, you’ll be opening up a huge vector of attack. It’s easy to imagine a pile of dirty USBs being dumped onto a table at CES or desk at your local Kinko’s. Unless you can track a device’s provenance from the factory to your computer, the only real protection avoiding USB drives and devices at every turn — covering over your USB ports the same way you might cover your laptop camera. It’s an extreme response, but not an unreasonable one. And for large portions of the peripheral hardware industry, it could be a very scary thought.

CryptoWall updated to 2.0

Source: F-Secure

One of this summer’s most followed ransomware families is CryptoWall. Over time CryptoWall has seen minor updates and changes but its core functionality has stayed pretty much the same. Once a machine has been infected, CryptoWall will attempt to encrypt the contents of the victims hard drive and then demand a ransom payment in exchange for the decryption key required to get the contents back.

The only major break from this was a few months ago when we observed a few CryptoWall samples that were using a custom Tor-component to communicate with their command & control servers. This Tor component was downloaded as an encrypted binary file from compromised websites. It was then decrypted and used to set up a connection to the Tor network through which the C&C server could be reached. Interestingly, we only observed a few of these “Torified” versions of CryptoWall. The majority of the samples we have seen have stuck to the original C&C communication method.

That may now have changed. Just yesterday, the first samples of ransomware calling itself “CryptoWall 2.0” were spotted in the wild.

Screenshot of CryptoWall 2.0 ransom page
The CryptoWall 2.0 ransom page

CryptoWall 2.0 appears to use a new packer/obfuscator with an increased amount of anti-debugging and anti-static analysis tricks. Upon reaching the final malicious payload, however, CryptoWall 2.0 is almost identical to the Torified CryptoWall 1.0 samples seen earlier this summer.

CryptoWall 1.0 CryptoWall 2.0
On the left, Torified CryptoWall 1.0 and on the right the same function in CryptoWall 2.0

Perhaps it was the efforts of security researchers to shut down CryptoWall C&C servers that was hurting the gangs business. Or maybe they just felt it was time for change. In any case the author(s) clearly felt a new C&C communication method was needed. And like professional software developers, the CryptoWall author(s) seem to believe in first testing new versions thoroughly alongside previous versions before completely switching over to the new one. We believe the Torified versions of CryptoWall 1.0 were exactly that, testing. Therefore we expect to see a lot more of CryptoWall 2.0 in the near future.

List of compromised Tor-component download locations:


List of .onion C&C domains:


Hashes for CryptoWall 2.0 samples:


Hashes for Torified CryptoWall 1.0 samples:


Post by Artturi Lehtiö (@lehtior2)

FBI releases Malware Investigator portal to industry players

Source: ZDNet

The FBI’s Malware Investigator portal will soon be available to security researchers, academics and businesses.

As reported by Threatpost, the US law enforcement agency’s tool is akin to systems used by cybersecurity companies to upload suspicious files. Once a file is uploaded, the system pushes through antimalware engines to pull out information on the file — whether it is malicious, what the malware does, and whom it effects.

The Malware Investigator analyses threats through sandboxing, file modification, section hashing, correlation against other submissions and the FBI’s own entries concerning viruses and malware reports. Windows files and common file types can currently be analysed, but this will expand to include other file types in the near future.

The FBI says that businesses will find this tool particularly useful, stating on the portal’s website:

“Public and private sector networks are constantly dealing with malware aimed at disrupting operations, stealing information, and/or interfering with daily business. IT professionals must react nimbly to potential issues, but can only make well informed decisions when they can quickly understand the potential threat to their systems.”

Speaking at the Virus Bulletin conference in Seattle, the FBI’s Jonathan Burns said API access has been granted for businesses that wish to integrate the engine into their platforms, and the personal details of submitters remain undisclosed and private.

While the standard portal is currently available to law enforcement, another portal for researchers, businesses and academics will soon be available.