CrowdScource to be introduced at Black Hat
Posted by: Timothy Weaver on 07/30/2013 11:25 AM
[
Comments
]
A new tool, produced by Invincea, is to be announced at the upcoming Black Hat convention. This new tool, called CrowdSource, is unlike other tools to find malware. CrowdSource is built using a machine-learning approach that trains the detection engine using millions of technical documents found on the Web. The authors have applied the engine to about 15,000 samples so far and say that they easily can scale it to go through millions of samples.
Saxe and his research partners, Kristina Blokhin, Rafael Turner, Nathan Goldschmidt and Jose Nazario, are planning to release CrowdSource as an open source tool.
Some of the malware capabilities that CrowdSource has the ability to detect include:
• detects debugger based reversing
• encrypts / decrypts data
• provides remote desktop capability
• steals or modifies cookies
• mines or steals bitcoins
• communicates over smtp
• has gui functionality
• communicates with database
• communicates via irc protocol
• logs keystrokes
• takes screenshots
• communicates via xmpp
• communicates via socks protocol
• accesses webcam
• downloads files
• uploads files
• communicates via ftp
In addition to the ability to recognize certain capabilities of malware and malicious files, Saxe said CrowdSource also may be useful for doing large-scale analysis of malware to take the burden off the small number of trained analysts doing this work.
“The other thing we want to do is demographics of malware on a large scale,” he said. “Perhaps we could use it to survey the malware landscape to say that there’s been a shift away from using remote desktop bugs or whatever. That currently isn’t possible because there aren’t enough expert analysts.
Saxe said that the team ultimately hopes to release CrowdSource as a command-line tool as well as a Web-based version.
Saxe and his research partners, Kristina Blokhin, Rafael Turner, Nathan Goldschmidt and Jose Nazario, are planning to release CrowdSource as an open source tool.
Some of the malware capabilities that CrowdSource has the ability to detect include:
• detects debugger based reversing
• encrypts / decrypts data
• provides remote desktop capability
• steals or modifies cookies
• mines or steals bitcoins
• communicates over smtp
• has gui functionality
• communicates with database
• communicates via irc protocol
• logs keystrokes
• takes screenshots
• communicates via xmpp
• communicates via socks protocol
• accesses webcam
• downloads files
• uploads files
• communicates via ftp
In addition to the ability to recognize certain capabilities of malware and malicious files, Saxe said CrowdSource also may be useful for doing large-scale analysis of malware to take the burden off the small number of trained analysts doing this work.
“The other thing we want to do is demographics of malware on a large scale,” he said. “Perhaps we could use it to survey the malware landscape to say that there’s been a shift away from using remote desktop bugs or whatever. That currently isn’t possible because there aren’t enough expert analysts.
Saxe said that the team ultimately hopes to release CrowdSource as a command-line tool as well as a Web-based version.
Comments
