Monday, April 6, 2009

Digital DNA

You may or may not have heard of it yet, but HBGary has added an exciting new feature to their Responder Pro product called Digital DNA. I'm still in the process of learning more about it but I'll try to summarize it.

Malware has components that constitute its existence. Much like a person, these components are traits that are inherited upon creation. In the malware sense, traits are inherited through programming behaviors that, generally speaking, can't be avoided if you wish to achieve a specific goal. Keyloggers, rootkits, droppers, process injection and so on all have modes of operation that can be identified. Not in the sense of a traditional signature but more in the sense of a behavioral signature. The individual characteristics don't matter as much here.

Generally speaking, a specific piece of malware has several traits that make it malicious and define its individual behaviors. These class characteristics when applied to the individual malware specimen, become a series of individual characteristics, or a DNA chain. This DNA chain can then be used to identify the software as malicious in nature.

So let me clarify before continuing.

A piece of malware is installed on a computer. It
a) opens a backdoor
b) hides processes
c) injects itself in to a running process
d) speaks HTTP
e) logs keystrokes

These are all class characteristics of malware. They are non-specific in nature, yet they are indicative of malicious behaviors. Taken individually, they are innocuous. Taken together they are a problem. Taken together, they form a DNA chain that can be used to identify potentially malicious processes on your computer. You can take my word for it, or check out these screen shots of it.

The following image was taken from malware that is identified by 11/39 on Virustotal.

And here's what an Infostealer looks like

And it's then simple to go from that to this:

and then this:

Malware identification and analysis just got that much easier.