Slashdot Mirror
FBI Plans To Open Up Malware Analysis Tool To Outside Researchers
Trailrunner7 writes: The FBI has developed an internal malware-analysis tool, somewhat akin to the systems used by antimalware companies, and plans to open the system up to external security researchers, academics and others. The system is known as Malware Investigator and is designed to allow FBI agents and other authorized law enforcement users to upload suspicious files. Once a file is uploaded, the system runs it through a cluster of antimalware engines, somewhat akin to the way that Virus Total handles submissions, and returns a wide variety of information about the file.
Users can see what the detection rate is among AV engines, network connection attempts, whether the file has been seen by the system before, destination and source IP addresses and what protocols it uses.Right now, Malware Investigator is able to analyze Windows executables, PDFs and other common file types. But Burns said that the bureau is hoping to expand the portal's reach in the near future. "We are going to be doing dynamic analysis of Android files, with an eye toward other operating systems and executables soon," he said.
Users can see what the detection rate is among AV engines, network connection attempts, whether the file has been seen by the system before, destination and source IP addresses and what protocols it uses.Right now, Malware Investigator is able to analyze Windows executables, PDFs and other common file types. But Burns said that the bureau is hoping to expand the portal's reach in the near future. "We are going to be doing dynamic analysis of Android files, with an eye toward other operating systems and executables soon," he said.
That's right. The FBI has no way of knowing who. you. are...
“He’s not deformed, he’s just drunk!”
It's worthless trash.
First rule of maintaining a competitive edge. Keep the good shit.
Does it detect the FBI's own malware I wonder.
That's just plain stupid. So any malware author can now run their files through the FBI's malware program until they figure out a way to get past all it's checks.
*clap* *clap* *clap* *clap*
There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
J Edgar Hoover is alive and well. Nothing has changed.
Why is Snark Required?
system-grade comparison of AV for the consumer??
That'd give the consumer unfair advantage over the AV companies in being able to make an *informed* choice, don't you think?
I see some serious resistance to this.
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
I was at VirusBulletin when this was being discussed.
A lot of the other comments are just typical ignorant FUD. Let me tell you exactly what this is: reinventing the wheel.
The speaker described how they had started working on a malware analysis environment back in 2004 and ultimately abandoned it as a failure in 2010. They then *clearly* didn't just look around and see what already existed, but instead just stubbornly decided to press on in making their own.
I was really cringing as the FBI agent described the system to a room full of malware analysis and AV companies, because the system was just so *basic*.
But he said that it received multiple awards within the government and was seen as being super awesome. Just another example of the government being insular and not realizing how far behind industry they are.
For those who think it's a honey pot, it's really not. Not quite anyway. The agent specifically said that the main value to them to make it open is that they *do* want to collect more malware samples. They're starting with LE (who may not be experienced enough to know they can just use one of many other free malware analysis environments, and thus will use the one the FBI hands to them). But then after LE it's a much smaller lift to just open it to everyone, and thus it's sort of a "why not" sort of thing.
Clearly English as a first or second language is not a prerequisite for employment at this firm.
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
Just ask the NSA and the other four (five, actually, but you're not permitted to know about the fifth) mil agencies who get your data from the FBI without a silly Constitutional requirement.
Serfs, not Citizens.
That's all you are.
-- Tigger warning: This post may contain tiggers! --
How does this malware get onto Windows, Android and these other operating systems in the first place?
The FBI will soon be releasing a link to Jotti.
http://virusscan.jotti.org/en
I recently got 4 antivirus makers to rescind false positives in NOD32/ESET (below's my VERY recent email correspondence with their lead developer, Mr. Aryeh Goretsky in fact) regarding my APK Hosts File Engine 9.0++ 32/64-bit program being falsely flagged (& imo? It's one of the BEST designed & coded ones):
===
APK REPLY #3 (not my ware, rather MATCODE mpress use) in thanks to Aryeh Goretsky of NOD32/ESET on False positive: Why are you calling a program of mine a "bad" file? apkââ
Aryeh Goretsky
9/21/14
To: Alexander Kowalski
Hello,
False positives like the one you reported are not uncommon, and most anti-malware companies respond quickly to them. I just did a download of apk.it-mate.co.uk/APKHostsFileEngineInstaller32_64bit.zip and did not receive any reports of NewHeur_PE, so I am assuming the virus lab resolved the issue. I am running ESET Smart Security 7.0.317.4 with Virus signature database: 10445P (20140920), if that helps you track down the report.
Regards,
Aryeh Goretsky
===
Their "FP's" mistake was based on their *NOT* understanding the mpress (MATCODE) 64-bit compression method I was using, which was "ok" by them in 32-bit, but flagged up falsely in 64-bit!
(Which is *EXACTLY* where I told them they were going wrong since the codebase in Delphi XE2/Object-Pascal code is EXACTLY THE SAME between both versions (only differing in resource strings saying "32-bit" vs. "64-bit" only, thus, proving their screwups which they agreed on)):
APK
P.S.=> It happens A LOT on "false positives" - more proofs thereof forthcoming in my subsequent replies... apk"
RE: 1 False positive of 3 now gone (Qihoo360) only Comodo & NOD32 remain now (interesting points on last one)... apkâ
9/18/14
To: Alexander Kowalski
support@360safe.com
Dear Alexander,
Thank you for your support to 360safe.
We sincerely appreciate your help of improving our products and services. We make every effort to avoid false-positive results in our service, and proper actions have been taken. We are sorry for the inconvenience.
So again, thank you and please feel free to contact us anytime you have any question or suggestion about our product.
Kind regards,
Qihoo 360 Support Team
Email: support@360safe.com
---
* More FALSE POSITIVES proofs of virus test imperfections forthcoming in my subsequent replies...
APK
P.S.=> Symantec/Norton, ArcaVir, ClamAV, & Comodo (in process now)... apk
Re: APK Sending 32-bit compressed, 32-bit uncompressed, and 64-bit compressed builds of program for FALSE POSITIVE TESTS UPON REQUEST... apkâ
PaweÅ Pieniak
3/13/12
To: Alexander Kowalski
Cc: support@arcabit.com
Hello!
It`s a false positive. This false will be eliminated as soon as posible.
In a letter dated 13 marca 2012 (16:28:12) was written :
I am attaching each version of it in BOTH compressed (that shows as infested) AND UNCOMPRESSED (that shows as clean, along with itâ(TM)s 64-bit version also) form. See attached âoeForArcaBitAnalysis.rarâ file as it contains the following executable files:
APKHostsFileEngine32.exe (compressed 32-bit model that your antivirus says is infected)
APKHostsFileEngine32.exe.bak (the uncompressed 32-bit model, just rename it when you work on it)
APKHostsFileEngine64.exe (64 bit model)
I compress my executables with mpress.exe (which compresses both 32 bit and 64 bit programs).
The 32 bit and 64 bit models are EXACTLY THE SAME SOURCECODE, line for line, except for resource strings that say âoe32-bitâ instead of âoe64-bitâ, and that is it.
===
More proofs of "false positives" I've overturned forthcoming (Norton/Symantec, & others)...
APK
P.S.=> Couldn't have done it alone imo, & I had EXCELLENT HELP (From the very best in the business per proof from this VERY recent test from a reputable source http://www.av-test.org/en/news... in MalwareBytes' staff, assisting me & they also host AND RECOMMEND my ware as "best of its kind" here http://hosts-file.net/?s=Downl... also, @ the top of their data downloads pages for hosts)... apk
Symantec
Steven Burn
4/07/12
To: 'Alexander Kowalski'
Alexander,
Vikram just got back to me to let me know Symantec have now removed the detection for your files.
Regards
Steven Burn
I.T. Mate
www.it-mate.co.uk
---
* That's the man from MalwareBytes (best in the business http://www.av-test.org/en/news... per my Qihoo360, & ArcaVir false positives overturning's previous proof posts now here, & that I've done in the past 2++ yrs. now, proving these programs are NOT "perfect" (far from it)).
APK
P.S.=> Especially considering NORTON/SYMANTEC THEMSELVES HAVE ADMITTED TO BEING ONLY "55% effective" PER THIS SLASHDOT ARTICLE RECENTLY -> http://it.slashdot.org/story/1...
... apk
Comodo's in process now as I write this (will be removed I am SURE of it for the reasons I noted above regarding MATCODE compression engine in 64-bit *NOT* being understood by many antivirus engines, yet is OK by them in 32-bit):
However, per my subject-line & Mr. Nir Sofer of NIRSOFT (who has talent & has written TONS of small utilities for many varying useful purposes):
He gets "flagged" & FALSELY, ALL THE TIME!
So, in my experiences with his tools & in my PROFESSIONAL OPINION - one PROVEN good enough to have overturned false positives galore in my time, including Norton/Symantec, ArcaVir, McAfee/Intel, ClamAV, NOD32/ESET as shown already, & others like Computer Associates too in the past?
They're wrong!
(Regarding CA? It was, albeit, on ANOTHER older 32-bit program of mine they had to step down to "zero threat" levels after falsely accusing it of being a malware, but it *could* be a "double-edged sword" launching apps invisibly (not intended for that by myself, ever) but it is NOT SCRIPTABLE for attacks (what saved me, no argc/argv commandline intake possible for that, along with the fact that I passed EVERY SINGLE ONE of their 21 point questions for removal also)).
He gets flagged a lot... VirusTotal, per Mr. Sofer, is now owned by GOOGLE. They flag his wares as "malware" now online - why?
He wrote password grabbers for Chrome, FireFox, Opera, & IE (possibly more like Safari). These *CAN* be extremely useful for techs/admins (as well as forensics people during investigations)).
* BOTTOM-LINE: That's wrong of them to do that to him - for the reasons noted above.
Want to do it RIGHT? Don't trust "heuristics" or "fall-back rules" in error in your AV engines - setup a VM, step trace the app there using tools like ProcessExplorer or ProcessMonitor by Dr. Mark Russinovich instead, or a FULL-BLOWN kernelmode debugger/disassembler!
APK
P.S.=> When an app can function BOTH ways (for "good" or "bad")? They ought to reclassify those types (ping can or could too for Pete's sake & it's part of the IP stack essentially & a USEFUL tool for networkers)... been there myself, not fun - I feel bad for Mr. Sofer: Guy has talent & doesn't deserve or merit that bullshit... apk
Regarding the efficacy of these online tests (with proofs of my proving them WRONG) here http://tech.slashdot.org/comme... (in that post and ALL subsequent ones beneath it).
* Their "heuristics" are ALL fucked up, but moreso, their "default 'fallback' rules" when their antivirus engines FAULT-OUT & malfunction, falling back to an AUTOMATIC DECLARATION A WARE IS "BAD"...
THAT, is WRONG... period!
To do it COMPLETELY RIGHT?
Don't depend on "heuristics" or worse, default "fallback rules" of auto-declaring an app "badware" when their engines FAULT OUT!
Step trace the app, running it in a VM, first... analyze it using tools like ProcessExplorer &/or ProcessMonitor by Dr. Mark Russinovich (or go as far as using a kernelmode debugger to do so).
Yes, that's EXACTLY what they SHOULD do - but don't!
Proof?
Hey... proof's in the pudding on MATCODE exe packer I used to use that got me FALSELY FLAGGED & when I got those rescinded in the 1st link I posted above.
(Where 1 of my programs is FINE in 32-bit but not in 64-bit, or vice-a-versa)
I used to use exe-packers/compressors!
Why?
Well - since those make programs smaller to pickup off disk (thus, faster loads, since the typically SLOWEST part of a computer IS DISK, especially mechanical ones like harddrives) & modern CPU speeds offset the decompression into RAM for running them, AND, for protecting my apps vs. disassembly OR alteration via say, hex editors.
That latter point?
It can't be done to wares I develop anyhow (even though I stopped using exe packers to STOP "false positives" on my apps, which is a SHAME due to benefits I got from them, as did users of them in my apps)!
How/why?
Easy - my apps checks themselves on startup, & *IF* they even differ by 1 BYTE ONLY? My app warns the user of possible traditional/classic virus infestations (add size by altering function jump tables AND adding code @ the tail-end of an application too) & SHUTS DOWN THE PROGRAM... this functions as "native built-in antivirus protection" @ the APPLICATION LEVEL!
All apps ought to be written that way but, alas, they're not, sadly (it works & is SIMPLE to implement by sizecheck, CRC32 checks, 1st 512 byte checksumming, etc.)
APK
P.S.=> I've shown how I've quite LITERALLY PROVEN the "big names" wrong, with samples in that exchange no less thereof & exactly HOW/WHEN/WHERE/WHY their antivirus tests engines are in error, many times & more importantly, how others are victim to it (Nir Sofer of NirSoft being a prime one I know of who gets it FAR WORSE than I ever did, wrongly)... apk
Yeah. Just long sentences.
Sophos Files Samples (samples@sophos.com)
To: hhhobbit@securemecca.com
Cc: hhhobbit@securemecca.com, services@it-mate.co.uk, alecstaar@gmail.com, apk4776239@hotmail.com
Hello ,
Thank you for your submission. We have now released a fix for the file(s) you sent in to us for analysis.
If you have any further questions please do not hesitate to contact Sophos Technical Support.
Regards,
Romeo Carlo David
Sophos Technical Support
http://www.sophos.com/en-us/su...
Support knowledgebase: http://www.sophos.com/en-us/su...
Follow us on Twitter @SophosSupport
SophosTalk community (discussion forums): http://community.sophos.com/
SOPHOS - Security made simple
---
* That was June 2013 - not as recent as the others, but I am posting this one for posterities' sake too...
APK
P.S.=> 1 more coming in EmsiSoft... apk
Arief Prabowo - Emsisoft (ap@emsisoft.com)
8/23/14
To: 'Alexander Kowalski', fp@emsisoft.com, 'Steven Burn'
ap@emsisoft.com
Hello,
many thanks for reporting this issue. I can confirm that the false positive has been fixed, and the file information on this page has been updated as well:
http://www.isthisfilesafe.com/...
spx
Best Regards,
Arief Prabowo
Malware Analyst
--
Emsisoft GmbH - www.emsisoft.com
Mamoosweg 14, 5303 Thalgau, Austria
Tel. +49-180-590066-2, Fax. +43-6235-20053
Commercial register: FN238178m, VAT-ID: ATU57263749
---
* I've done the same to Computer Associates years ago as well for another program I wrote (APKBackGroundProcessEngine) that they had to lower to ZERO threat levels also (but that was LONG ago & on another program)...
APK
P.S.=> There's 6 or 7 evidences as "proof thereof" listed under the parent post of mine I just replied to, along with this last one, as to my statements' veracity as to these online tests accuracy being poor/inaccurate (since of the 80 possible @ JOTTI or VirusTotal, ONLY those 6 flagged me falsely - well, they were WRONG & ADMITTED IT, proving my point here)... apk