January 23, 2017

CrowdStrike unleashes CrowdRE to promote collaborative reverse engineering of malware

(LiveHacking.Com) – CrowdStrike, a security technology company which employs some big industry names like former McAfee CTO George Kurtz, Dmitri Alperovitch (McAfee’s ex-VP of Threat Research) and former FBI executive Shawn Henry, has released a new collaborative platform designed to speed up the reverse engineering of malware.

Known as CrowdRE, the cloud based service was originally developed for CrowdStrike’s  internal use but the company decided to release it for free after it realized that the broader security community can benefit from it by encouraging information sharing and collaboration.

The idea is simple, while a single person can statically reverse engineer a small downloader or dropper, it can take weeks or even months to properly analyze complicated malware like Stuxnet and Flame, especially when they are developed by a well-funded adversary (such as a nation-state). To this end CrowdRE  has been developed to allow security analysts all over the world to perform collaborative reverse engineering.

The platform works like this. Bob is working on disassembling the code and as he does so he names local variables, adds annotations and works out what certain functions do. Once he is happy with his work he can upload them to the CrowdRE servers. At the same time Alice is working on a different part of the malware and notices calls to certain functions. At this point Alice syncs with the CrowdRE servers and discovers that Bob has already annotated and analysed those functions.  Now Alice can continue reverse engineering the malware with the Bob’s function annotations included in her analysis.

A more detailed example can be found in a recent blog post where Jason Geffner, a senior security researcher at CrowdStrike, demonstrates how CrowdRE could be used to analyze a malware sample known as “Comment Panda.” Comment Panda was part of the malware family behind the Shady RAT attacks and is known to include command-and-control commands inside HTML comment tags.

CrowdRE has plugins for popular tools like IDA Pro and development continues. The team hopes to bring support for Linux and Mac OS soon, along with social ratings of other users’ annotations (so you can see what other people think is reliable), access control lists (to allow only specific people to see your annotations) and better fuzzy matching of functions.