October 22, 2016

CrowdStrike unleashes CrowdRE to promote collaborative reverse engineering of malware

(LiveHacking.Com) – CrowdStrike, a security technology company which employs some big industry names like former McAfee CTO George Kurtz, Dmitri Alperovitch (McAfee’s ex-VP of Threat Research) and former FBI executive Shawn Henry, has released a new collaborative platform designed to speed up the reverse engineering of malware.

Known as CrowdRE, the cloud based service was originally developed for CrowdStrike’s  internal use but the company decided to release it for free after it realized that the broader security community can benefit from it by encouraging information sharing and collaboration.

The idea is simple, while a single person can statically reverse engineer a small downloader or dropper, it can take weeks or even months to properly analyze complicated malware like Stuxnet and Flame, especially when they are developed by a well-funded adversary (such as a nation-state). To this end CrowdRE  has been developed to allow security analysts all over the world to perform collaborative reverse engineering.

The platform works like this. Bob is working on disassembling the code and as he does so he names local variables, adds annotations and works out what certain functions do. Once he is happy with his work he can upload them to the CrowdRE servers. At the same time Alice is working on a different part of the malware and notices calls to certain functions. At this point Alice syncs with the CrowdRE servers and discovers that Bob has already annotated and analysed those functions.  Now Alice can continue reverse engineering the malware with the Bob’s function annotations included in her analysis.

A more detailed example can be found in a recent blog post where Jason Geffner, a senior security researcher at CrowdStrike, demonstrates how CrowdRE could be used to analyze a malware sample known as “Comment Panda.” Comment Panda was part of the malware family behind the Shady RAT attacks and is known to include command-and-control commands inside HTML comment tags.

CrowdRE has plugins for popular tools like IDA Pro and development continues. The team hopes to bring support for Linux and Mac OS soon, along with social ratings of other users’ annotations (so you can see what other people think is reliable), access control lists (to allow only specific people to see your annotations) and better fuzzy matching of functions.

WebKit Vulnerability Allows Attackers to Take Control of Android Devices

(LiveHacking.Com) – CrowdStrike, a new security technology company formed by key cyber security executives from McAfee, will demonstrate a new WebKit based attack against Google Android which results in the attacker gaining access to critical system processes and taking complete control of the victim’s device. The firm plans the demo as part of its debut at the RSA Conference 2012.

To launch the attack a hacker sends an email or text message that tricks the recipient (via social engineering) to click on a link, which in turn infects the device. At this point, the hacker gains complete control of the phone, enabling him to eavesdrop on phone calls and monitor the location of the device.

Since WebKit is also used in Google Chrome, Research in Motion’s BlackBerry, Apple’s Safari web browser and Apple’s iOS devices, this could open up exploits across multiple platforms.

“With modifications and perhaps use of different exploits, this attack will work on every smartphone device and represents the biggest security threat on those devices,” said Dmitri Alperovitch, chief technology officer and co-founder of CrowdStrike.

The CrowdStrike exploit only works on Android 2.2 (Froyo) but Alperovitch said he expects to have a second version of the hack soon that can attack phones running Android 2.3 (Gingerbread, which runs on about 59% of all Android devices).

The consequences of such a vulnerability are enormous as once the hole is patched in the WebKit project it can take months for the fix to trickle down to actual devices. Worse still many handset manufacturers never update the firmware on older phones meaning that some Android 2.2 users will be left with a vulnerable phone with no possibility of a fix other than resorting to custom ROM images.