fbi
now browsing by tag
How broken is Malware Investigator?

I have been steadily using Malware Investigator since its public debut in early March of 2015.
I have grown more and more upset with the service over this time period, and in the end, I’ve realized its not providing me any more of a service, than what is being provided via cuckoo, virus total, or malwr. Furthermore, even with some of the early on problems faced by malwr, I still believe that malwr is more available than the Malware Investigator tool is.
Problems experienced using Malware Investigator:
1) Downtime – Their servers are often down outside normal business hours, and even down sometimes during business hours. Often times, the SAML authentication that occurs between the InfraGard website and Malware Investigator fails, or I get redirected to various error pages at Malware Investigator.
2) Processing Time – It often takes an insane amount of time to analyze my traffic. For the majority of the malware that I have submitted to their website, I would guess that the mean time to analyze is approaching a week and a half. I feel that they should have enough resources at their disposal to process malware faster than 1.5 weeks.
3) Correlations – This is the part that really got me excited to use Malware Investigator. However, it seems as if it is a little bit of a misnomer. I had thought, that it would allow me to compare the malware I find, and compare it to other malware used in higher profile breaches / incidents, and it would alert me to that (with a certain level of discretion of course, understanding different classification levels of information provided by the FBI). Unfortunately, correlations generally gives you the ability to see other usernames of people that have uploaded that same piece of malware.
4) General Brokenness –
a) My profile has become littered with malware that I never submitted. There are a number of .dll files littering my screen that has had analysis performed against it (supposedly), that I never submitted.
b) I can’t get the proper listing of malware that I submitted to the site, unless I happen to remember the name of the malware that I submitted. The general overview, where you should be able to browse all the malware you submitted, however, that is completely broken for me, and the only way to find the malware I submitted, is if I happen to remember the name of the malware that I submitted; so it seems the search process still works, however, the listing of malware doesn’t.
I will point out, the single feature I like at Malware Investigator, and the only reason I still use it. I use it to analyze all the linux, unix, mips, and other non-windows malware that I am able to collect. That is the single weakness of both malwr and VirusTotal, is that they will not, or maybe properly said, do not have the ability to analyze the various linux/unix/mips/whatever malware variants that I upload.
So, with all these problems I have experienced, I ask the question, “How broken is Malware Investigator?” And, “Is Malware Investigator broken beyond belief?”
Do you think that malwr and VT should start accepting, and being able to process linux malware, or does it represent such a low number of infections, that it would be going too far? Let me know, by posting a comment down below.
Please leave a comment, let me know if you use Malware Investigator, if you don’t, and why; I want to hear other peoples reaction to Malware Investigator.
Review: Malware Investigator (iLEEP, FBI tool for investigating malware)

So, several months ago, I wrote about a tool that the FBI was going to make available for members of InfraGard, called Malware Investigator. This tool was set to provide members of law enforcement, and InfraGard to provide analysis on submitted malware. I said that I would provide a detailed write-up, regarding how useful the tool is, and how it helps me analyze found malware. I am happy to do that for you here; here is my review of Malware Investigator.
I submitted 3 malware samples, that I found via my SSH honeypot. Granted, these samples were compiled for execution on a MIPS based system, so all the other malware analysis tools proved to be relatively worthless, as most of them are only setup to run w32 (windows) binaries, and test the execution of that malware. I submitted these samples on 4/20, one at approx. 7:30 AM MDT, and the other two, later in the day, approx. 4:30 PM MDT.
As I am writing this post, on 4/23, at approx. 9:45 AM MDT, the analysis of all three files is still incomplete. To me, since these are sort of odd-ball files to submit (again, they are MIPS executables), I think a day is a reasonable amount of time to run the malware in a sandbox, and provide a report. However, at 3 days, and still going, I think this sort of analysis is taking far too long, for the service to be useful for malware hunters out there.
Depending on the output, and if it ever completes, I may, or may not provide a follow-up to this article, detailing how accurate the malware analysis at Malware Investigator was; it is something to write about.
The positive analysis of the files (just one included here) is that it does provide some initial decent details; however, what I’m really curious about, is attribution and correlation that the FBI provides me with (if any).
Read the rest of this page »
Malware Investigator released
As of today, the FBI/U.S. Government’s own Malware Investigator tool has been released to a wider audience of people. I believe all members of Infragard, along with the select few people offered it before this wider release.
I’m going to be loading it up with some samples that I have, and test out the tool, and determine if it can assist with forming details about malware.
I will update the blog in the next couple of days, and provide details to my experience in using the Malware Investigator tool.
Report: NSA Hacked North Korea Before Sony Breach
Source: PCMag
More details are being released in regards to North Korea, and the breach that occurred at Sony.
What is now being reported is that the NSA has had access to North Korea’s computer (read: hacked) since 2010. Some are now reporting that the hack at Sony was in retaliation to the hacking that NSA had done against North Korea.
I’m still very hesitant to call the Sony breach as being a hack perpetrated by North Korea, even with the additional evidence/details about NSA being inside North Korea’s computers.
From the article:
As it turns out, the U.S. had some inside information. According to reports from Der Spiegel and The New York Times, the U.S. knew that North Korea hacked Sony because the U.S. had hacked North Korea.
The National Security Agency (NSA), in fact, has had access to North Korean networks and computers since 2010, the Times said. Officials wanted to keep tabs on the country’s nuclear program, its high-ranking officials, and any plans to attack South Korea, according to a document published by Der Spiegel.
North Korea did attack South Korea in 2013, crippling several of the nation’s leading financial and media organizations. At one point, however, the hackers revealed their IP addresses – the same IP addresses that popped up again in the Sony hack.
Silk Road Lawyers Poke Holes in the FBI’s Story
Source: Slashdot and Krebs on Security
From Brian Krebs about the court proceedings against Ross Ulbricht for his involvement in Silk Road, the online drug marketplace that was shut down (at least temporarily) by law enforcement last year. Ulbricht’s lawyers have demanded information from the FBI in the course of discovery, and the documents provided by the government don’t seem to confirm the FBI’s story.For starters, the defense asked the government for the name of the software that FBI agents used to record evidence of the CAPTCHA traffic that allegedly leaked from the Silk Road servers. The government essentially responded (PDF) that it could not comply with that request because the FBI maintained no records of its own access, meaning that the only record of their activity is in the logs of the seized Silk Road servers. … The FBI claims that it found the Silk Road server by examining plain text Internet traffic to and from the Silk Road CAPTCHA, and that it visited the address using a regular browser and received the CAPTCHA page. But Weaver says the traffic logs from the Silk Road server (PDF) that also were released by the government this week tell a different story. … “What happened is they contacted that IP directly and got a PHPMyAdmin configuration page.” See this PDF file for a look at that PHPMyAdmin page. Here is the PHPMyAdmin server configuration.
FBI releases Malware Investigator portal to industry players
Source: ZDNet
The FBI’s Malware Investigator portal will soon be available to security researchers, academics and businesses.
As reported by Threatpost, the US law enforcement agency’s tool is akin to systems used by cybersecurity companies to upload suspicious files. Once a file is uploaded, the system pushes through antimalware engines to pull out information on the file — whether it is malicious, what the malware does, and whom it effects.
The Malware Investigator analyses threats through sandboxing, file modification, section hashing, correlation against other submissions and the FBI’s own entries concerning viruses and malware reports. Windows files and common file types can currently be analysed, but this will expand to include other file types in the near future.
The FBI says that businesses will find this tool particularly useful, stating on the portal’s website:
“Public and private sector networks are constantly dealing with malware aimed at disrupting operations, stealing information, and/or interfering with daily business. IT professionals must react nimbly to potential issues, but can only make well informed decisions when they can quickly understand the potential threat to their systems.”
Speaking at the Virus Bulletin conference in Seattle, the FBI’s Jonathan Burns said API access has been granted for businesses that wish to integrate the engine into their platforms, and the personal details of submitters remain undisclosed and private.
While the standard portal is currently available to law enforcement, another portal for researchers, businesses and academics will soon be available.
FBI’s New Facial Recognition System May Cover a Third of Americans
It’s taken the FBI over half a decade to construct its system. Work on the NGI began in 2006, with a Phase I pilot version launching in early 2011. In announcing the project, the FBI wrote:
The NGI was an expensive project costing taxpayers billions, much of which went to a variety of high profile contractors, including International Business Machines, Corp. (IBM), BAE Systems plc. (LON:BA), and Lockheed Martin Corp. (LMT). The lucrative payday for military-espionage corporate special interests might be justified, but the question is whether this program is a more limited effort aimed at criminals, or whether it might be the next coming of the U.S. National Security Agency‘s (NSA) Orwellian PRISM program.

The NGI’s backend is driven by IBM supercomputers.
Some aspects of the NGI are certainly praiseworthy and draw little controversy. For example, it has reduced the time to process high priority criminal ten-fingerprint submissions from 2 hours down to 10 minutes — an order of magnitude speedup.

The NGI is paired with the agency’s next-generation fingerprinting technologies.
The FBI’s full legacy criminal fingerprint database has as many as 100 million fingerprints in it. But only roughly 2 million are stored in this special high-speed database, designed to identify “dangerous” suspects, such as known terrorism affiliates, sex offenders, and fugitives.
The database may also be expanded to include palmprints, an emerging form of biometrics. However, as with the high-priority database, the palm database would likely be reserved for select groups of suspects.
II. Poor Quality Images of Criminals May Lead to False Flagging of Law-Abiding Citizens
The more contentious aspects of the next generation biometrics criminal database are the facial recognition and advanced biometrics bits. In addition to facial images, the FBI is also reportedly storing images of iris and identifying marks (scars and tattoos) to help identify persons of interest, both law-abiding and otherwise.
It’s hard to deny that there may be some benefits to the FBI’s increased ability to identify faces. The FBI’s database of roughly 100 million fingerprints and its large collection of criminals’ DNA has offered key breaks in many cases over the years.
But groups such as the Electronic Frontier Foundation (EFF) are already voicing concern over a number of aspects of the NGI’s facial recognition components. One concern is that while most of the database’s photos of current and former criminals, a small but increasing minority of its images is of law-abiding citizens. As these two collections (criminal suspects and citizens with clean records) are run through the same identification algorithms, it raises the prospect of innocent citizens being unnecessarily implicated in criminal investigations.
Writes the EFF:
While mistaken identification is of course a common problem in a non-digital context, the NGI could greatly increase it by offering up faulty tools. But how are the tools faulty and who’s to blame? The answer arguably lies in the states.

The size of the database in records has skyrocketed, but poor data quality may lead to false positives.
So far twenty-six states — a little over half the states in the Union — have signed on to participate in the facial recognition program. The other states haven’t — likely fearing civil liberty issues. The FBI set forth a series of guidelines to participating states, but it basically got its images in whatever form the state deemed fit.
A hint at how bad the data quality may be comes in the “Face Report Card”, which the FBI published in a special more in-depth effort with the state of Oregon.
In this publication, it reports that Oregon provided it with 14,408 photos over the review period in 2011. Of these, most were deemed unacceptable for a variety of reasons. First, the photos were of too low a resolution. The program requests that images be at least 0.75 megapixels (less than a smartphone photo). But most of the photos submitted by the state of Oregon were even lower resolution than that — perhaps VGA quality images. Further, many were deemed problematic due to non-ideal lighting, background, and interference.
It’s unclear just how many of the NGI’s images are these kind of poor quality shots. In 2012 the database housed 13.6 million images of 7 to 8 million individuals. By 2013 the database grew to 15 million images and by 2015 it’s expected to further expand to 52 million facial images. The latest metric indicate that on a daily basis roughly 55,000 new facial images are added to the database and “tens of thousands” of searches are conducted by the FBI and the “18,000 law enforcement agencies and other authorized criminal justice partners” (mostly state, local, and tribal police) on the growing database of images.
III. Civilian Contractors are in for a Headache
A particularly glaring concern is that many of the best images may actual come from non-criminals. The FBI says it expects to have 46 million criminal images by 2015, but also 4.3 million “civilian” images — pictures of law-abiding citizens.

Roughly half of states are giving the FBI’s facial recognition efforts a helping hand. [Image Source: EFF]
Technically the FBI appears to be keeping its process of not expanding biometrics to new groups, as the “civilian” images largely come from groups like federal employees or contractors who already were required to submit fingerprints to the government. But what is concerning is that in some cases the high-quality face shots of these law abiding citizens may be compared to millions of low quality images of criminals. Such a system might almost be guaranteed to create false positives.
But the FBI tries to obfuscate the issue with double-speak saying in effect that the system doesn’t make determinations so it can’t have false positives. The EFF describes:
The question becomes if the tool only produces a true positive detection rate of 85 percent and is at its worst accuracy-wise when it comes to criminal photos (which reviews indicated were unacceptably low quality images for a variety of reasons); is the database going to violate due process by leading to the harassment of law abiding citizens?
The EFF doesn’t have a very favorable view of the tool, writing:
Is the database more trouble than it’s worth?
IV. What the FBI Isn’t Telling Us
That question grows tougher to answer amid accusations that the FBI is not being forthright about how many civilian records are in its dataset. If the EFF is correct it is very possible that you may be in the search space, even if you’ve never applied for credentials at a federal agency or done other work-related background screenings that would place you in the FBI’s data set.
The first place you might find yourself is in the vaguely defined categories in the FBI set itself.
Close to a million additional facial images of law-abiding civilians could also be in the database by 2015, under the “Special Population Cognizant” (SPC) (750,000 images) and “New Repositories” (215,000 images) categories. The FBI has been vague about exactly who falls under these groups, but a 2007-era agency document [PDF] unearthed by the EFF seems to indicate that the SPC group will be used as an arbitrary grab-bag which federal partner agencies can use to create groups of civilian or criminal images they feel are relevant to their investigations. For example, a federal agency might include civilian pictures from their contractors’ keycards as part of their submission.
Because of these poorly defined groups the percentage of non-criminal (civilian) images in the database could be as high as 10 percent or as low as 8 percent — in the set the FBI is acknowledging, at least. Either way, some may be surprised to find themselves in the database and potentially unnecessarily ensnared in FBI investigations due to erroneous matches.
But there’s more. There’s a second set you may belong to. And this set may be much bigger.
The EFF also warns that the contractor responsible for the facial recognition algorithm — MorphoTrust (formerly L-1 Identity Solutions) — may also effectively search other large federal and state databases in addition to those detailed by the FBI. MorphoTrust is responsible for the driver’s license databases at 35 of the 50 state Departments of Motor Vehicles (DMVs). It also provides a facial recognition database for the U.S. Department of Defense (DoD) and yet another database to the U.S. State Department. The State Department database is the largest officially disclosed government facial recognition database in the world, with 244 million images of over 100 million people.
It is known that [PDF] the DoD shares its facial recognition data with the FBI and it is not believed that this is included in the 52 million image total. Similar share may occur with the state DMVs and with the State Department. The EFF complains:
In other words, the database of faces used by the FBI may only be the tip of the iceberg, a criminal subset of the greater search space. The true searchable dataset of faces may be primarily civilians, which raises serious questions why the FBI is accessing that data — or if it’s not accessing it, why it isn’t making that clear to the public.
There’s strong evidence that the NGI is tied to the U.S. Department of Homeland Security‘s (DHS) BOSS project, whose goal is to be able to publicly identify every American in public via facial recognition.
And due process issues aside, this influx of civilian records would seemingly make the job of picking out criminals in the already poor state-submitted photo database even harder.
V. Database May Cover Over 100 Million Americans
It’s possible these datasets are not searchable by the FBI, but the lack of transparency, at the bare minimum, is glaring. The FBI was supposed to conduct regular “Privacy Impact Assessments to discuss and brainstorm solutions to such issues. But its last Privacy Impact Assessment was filed in 2008 — more than a half decade ago. As a result of this blackout, it’s unclear what exactly the FBI’s “fully operational” database truly represents.

Bigger, as in “Big Brother”?
The EFF states that the worse case scenario may indeed not be too far off the mark. Its initial investigation indicates that as many as 100 million + civilians — a third of law-abiding Americans — may have their facial images stored in the database, assigned a searchable “Universal Control Number” just like photos of criminals. The EFF writes:
But threat or no threat, Americans have little recourse unless they can convince the courts that the program is unconstitutional (good luck with that) or, more likely, convince Congress to more clearly and narrowly define its scope. At present Congress has failed to adopt any sort of legislation restricting what kinds of civilian biometrics can be collected and whether those biometrics can be searched in a criminal investigation.

The FBI tried to use facial recognition to ID the Boston bombing suspects, but the system failed. Will it be more useful for harassing the populace? [Image Source: FBI/Salon]
As a result, if you are an American, you might find yourself pulled in for questioning by police in the near future simply because your photo looked vaguely like a blurry VGA photo of a known criminal. And as the number of such innocent mistakes grow, so too does the potential for abuse as law enforcement receives a convenient excuse to pull in and harass whoever they want be it a political rival or an ex-lover.
And moreover, your taxpayer money will be spent on these mistakes — be they innocent and malicious. You may ultimately be paying taxes to falsely implicate yourself in a criminal investigation. It’s easy to see why the EFF believes that it’s cause for concern.
Sources: FBI [press release], EFF [press release]
– See more at: