Slashdot Mirror

← Back to Stories (view on slashdot.org)

Crowd Sourced Malware Reverse Engineering Platform Launched

Posted by samzenpus on from the work-together dept.

wiredmikey writes "Security startup CrowdStrike has launched CrowdRE, a free platform that allows security researchers and analysts to collaborate on malware reverse engineering. CrowdRE is adapting the collaborative model common in the developer world to make it possible to reverse engineer malicious code more quickly and efficiently. Collaborative reverse engineering can take two approaches, where all the analysts are working at the same time and sharing all the information instantly, or in a distributed manner, where different people work on different sections and share the results. This means multiple people can work on different parts simultaneously and the results can be combined to gain a full picture of the malware. Google is planning to add CrowdRE integration to BinNavi, a graph-based reverse engineering tool for malware analysis, and the plan is to integrate with other similar tools. Linux and Mac OS support is expected soon, as well."

19 comments

  1. sounds like a good way by Anonymous Coward · · Score: 0

    To share the newest malware techniques with every interested geek.

    1. Re:sounds like a good way by LittleImp · · Score: 5, Insightful

      Yes, yes the one and only proven security measure: Obscurity.

  2. A response by Anonymous Coward · · Score: 1

    See, this is the kind of thing we need now that the nations are busy building their cyberweapons - a way for the independent do-gooders to pick em apart.

    1. Re:A response by Opportunist · · Score: 5, Insightful

      That's one of the things I'm wary of in this context: You might piss someone off with more money and firepower than $deity when you pluck apart his precious and expensive weapon to fight terrorism (or is that boggeyman outdated by now and we have another strawman to justify spying on otherwise innocent citizens? I didn't keep up to date).

      The other is that malware isn't the only thing you can reverse engineer, and that some companies might not be very interested in seeing their latest DRM junk being debunked in seconds.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:A response by Anonymous Coward · · Score: 1

      Implying that this isn't already happening - just check how many AAA games have a working crack on the release day.

    3. Re:A response by fuzzyfuzzyfungus · · Score: 3, Insightful

      That's one of the things I'm wary of in this context: You might piss someone off with more money and firepower than $deity when you pluck apart his precious and expensive weapon to fight terrorism (or is that boggeyman outdated by now and we have another strawman to justify spying on otherwise innocent citizens? I didn't keep up to date).

      I imagine that there isn't an entirely zero chance of earning yourself a dose of succulent Polonium for your tea; but I wouldn't be too concerned. If $SINISTER_INTELLIGENCE_AGENCY has cooked up some malware, and that malware has been tactless enough to get to the point of being reverse engineered in public(as opposed to being unnoticed, or covertly picked apart by the enemy $SINISTER_INTELLIGENCE_AGENCY), that malware is already too high profile for their liking. At that point, the options are (1): Start developing something else, do your best to suggest that your previous work was probably just Ukranian bot-herders or (2): Risk drawing even more attention to yourself by seeing to it that some security researchers mysteriously cut several vital arteries while shaving.

    4. Re:A response by Opportunist · · Score: 2

      So that's the reason why Stallman has a beard that needs its own zip code?

      I smell a conspiracy theory in the making.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    5. Re:A response by Anonymous Coward · · Score: 0

      So that's the reason why Stallman has a beard that needs its own zip code?

      Nonsense, a beard is its own reason.

  3. Illegal by michelcolman · · Score: 2

    But didn't the DMCA make it illegal to reverse engineer code without permission?

    1. Re:Illegal by Anonymous Coward · · Score: 0

      It's a very cunning plan....

      1. Reverse Engineer Malware
      2. Get Sued by Malware Author
      3. Arrest Malware Author
      4. ....
      5. Profit?

    2. Re:Illegal by Anonymous Coward · · Score: 0

      The DMCA only applies to the USA. With CrowdRE, Reverse Engineering can happen anywhere in the world to help our helpless DMCA-hobbled Americans.

  4. Incredible!! by Viol8 · · Score: 1

    So let me get this straight - more than 1 person working on a problem is faster than just some guy doing it on his own??

    What an insight! I think a nobel prize beckons.

    1. Re:Incredible!! by Gripp · · Score: 1

      *slow clap*
      it was unexpected to see so many detractors here, especially considering that it is slashdot. sharing of insight is ALWAYS better than a few isolated teams trying to tackle something like this. Sure, some people will learn new techniques, but since they will be well known at that point, they will be well combated. If people actually use it, this should help close the gaping security flaws plaguing us at much faster pace.

    2. Re:Incredible!! by jc42 · · Score: 1

      it was unexpected to see so many detractors here, especially considering that it is slashdot. sharing of insight is ALWAYS better ...

      I'd suspect that, to understand this discussion, you should always keep Poe's Law (q.v.) in mind. The default assumption here should be that we're all including a good dose of verbal irony in our comments. Yes, even those of us who have no idea what "irony" even means.

      In particular, any suggestion here that it's best that we not learn how "malware" works should be read as a parody of the way that legislative and management minds work.

      Of course, it's always possible that some /. readers will post such things seriously.

      In any case, I'm expecting to chuckle a lot at the comments here ...

      --
      Those who do study history are doomed to stand helplessly by while everyone else repeats it.
  5. Was announced at RECOn 2012 in Montreal by Anonymous Coward · · Score: 1

    Hello

    The CrowdRE initiative was announced at RECon in Montreal mid June. Here is the ppt http://blog.crowdstrike.com/2012/06/recon-crowdre-presentation-be-social.html

  6. Requires a commercial program though... by davecb · · Score: 2

    Does "cloud sourced" also imply "buy my product?" --dave

    --
    davecb@spamcop.net
  7. Marketing/Recruiting Strategy by Dmotv8 · · Score: 1

    This is just part of CrowdStrike's branding strategy.This will be an educational and recruitying site but I seriously doubt the work posted will be keeping anyone's networks any safer.

    Consider:
    1) If you are a network security firm and have the resources on staff to reverse engineer malware, why would you allow them to contribute at a competitor's site? Do you think that CrowdStrike is going to be giving away IP for free? I think not. They aren't going to sharing any goodies until they've milked them for all they're worth.
    2) Will the creation of CrowdRE make CrowdStrike obsolete? Obviously not. It will only prove that the skills to RE malware effectively are skills that CrowdStrike, Mandiant, et. al. have that you don't.
    3) If I'm a student or under-employed and needed a venue to show off my skillz then this sounds like a place to make a name. 4) If your company's network security is breached, posting the malware you found isn't going to fix your problem. You will will still need the folks with the chops to clean up the mess. And oh, by the way, we here at CrowdStrike can make it all those bad guys go away.

    It's a good idea but not for what it claims to be.

    1. Re:Marketing/Recruiting Strategy by Em+Adespoton · · Score: 1

      This is just part of CrowdStrike's branding strategy.This will be an educational and recruitying site but I seriously doubt the work posted will be keeping anyone's networks any safer.

      Consider:

      1) If you are a network security firm and have the resources on staff to reverse engineer malware, why would you allow them to contribute at a competitor's site? Do you think that CrowdStrike is going to be giving away IP for free? I think not. They aren't going to sharing any goodies until they've milked them for all they're worth.

      AV companies share this information all the time, albeit in a more static manner. Why? Because AV has been commoditized, and all major AV companies sell their product based on what ELSE they bring to the table. Plus, there's more than enough malware to go around. This will just solve the difficult problems, which is a benefit to everyone, while leaving the sheer volume of simpler stuff for the individual companies to tackle in their own way.

      Likewise, CrowdStrike isn't selling AV protection, they'll be selling a crowdsourcing solution with features that work right now.

      Think about, say, the latest Ransomware trend. A site like this would be perfect for cracking the encryption routines... after which, each lab will apply the routines to their own samples to produce a solution that works with their own system. But the reverse engineering will have been done once, instead of many times, saving analyst hours while also giving street cred to the few who contribute. Malware analysts are really a lot like grad students; they need to publish to get further in the field, and they're always working on new and novel systems and ideas (and would usually rather be working on those than on figuring out how someone encrypted a specific packer variant that will be abandoned within a week).

      2) Will the creation of CrowdRE make CrowdStrike obsolete? Obviously not. It will only prove that the skills to RE malware effectively are skills that CrowdStrike, Mandiant, et. al. have that you don't.

      Exactly. Professional reverse engineering is a niche field, and there aren't really a large number of people who can do it well for all platforms.

      3) If I'm a student or under-employed and needed a venue to show off my skillz then this sounds like a place to make a name.

      See 1)

      4) If your company's network security is breached, posting the malware you found isn't going to fix your problem. You will will still need the folks with the chops to clean up the mess. And oh, by the way, we here at CrowdStrike can make it all those bad guys go away.

      Well, even after figuring out how the malware works, there's still a lot of janitorial work to do to clean up the mess, not to mention the rest of the remediation process (how do you stop it from happening again?). CrowdStrike doesn't cover all those bases, but they likely want to act as brokers for those who do.

      It's a good idea but not for what it claims to be.

      I'd say it's good for what it claims to be, but that the entire problem space is significantly larger than what this claims to solve -- for the rest, you really do need talented individuals and organized groups with resources to come in and fix the problems, once the problems have been defined.

  8. Notoriety by DrYak · · Score: 1

    (2): Risk drawing even more attention to yourself by seeing to it that some security researchers mysteriously cut several vital arteries while shaving.

    Specially, when said security researchers are all working as part of a big platform reverse engineering malware. (As opposed as the reverse engineering being the work of a few anonymous unknown genius students working in their universities dorms. In that case, it would be much more easy to shift the poisonning blame to the druggie standing in as the current fuck friend of the genius).

    Notoriety and public visibility are good deterrent against trying to make inconvenient persons disappear.

    (Same reason why currently Julian Assange is being the target of a "smear campaign" to discredit him and knee deep in a diplomatic chaos around possible extradition, instead of just made to disappear toward one of the 3rd world countries where the USA out-source their "information retrieval" services: too many public eyes are following the story).

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]