Wednesday, April 1, 2009

Responder Pro - A review

Here's a short disclaimer before I get in to this.
*I'm not paid by nor affiliated with HBGary. This is an honest review of their product(s).*

A short while ago I received a demo copy of HBGary's Responder Pro product. A big thanks goes out to Rich and the HBGary team for letting me demo their tools. My demo period has now expired so I wanted to share my experience.

During my demo I used Responder Pro almost exclusively to analyze malware, and perform memory analysis. There's a bit of a learning curve with the product, mainly in getting used to the layout of the GUI which was at first a senseless morass of windows and tabs. After I adapted my thinking and used the tool a few times, the GUI made some sense.

Once I got acclimated to the GUI, memory analysis couldn't have been any easier. The GUI is pretty powerful and allows for a quick examination of the 'big win' components of memory - processes, modules, open files, open registry keys, network connections. Identifying process and DLL injection was in a word 'simple' once I figured out how the tool laid out the process and module information. Image(executable) extraction is simple - a right click does the trick.

A warning though. If you're using Antivirus products on the system you use this tool on, be prepared to redo your analysis or make exceptions for files and folders. More than once I was frustrated by having Symantec Endpoint Protection delete the extracted binary, leaving Responder in a state of confusion and inability to complete an analysis. I have many v.2 case files due to this.

The automated malware analysis of the memory dump was a huge timesaver. Based on a file called baserules.txt, a memory dump will be analyzed for processes and modules that are exhibiting potentially malicious behaviors. If you highlight a module, it will be selected for a deeper dive analysis. Did I mention it's a time saver? Analyzing module after module in a process can be tedious work. Having the information presented to you allows you to quickly weed out what looks normal from the abnormal.

My one nit about the automated analysis was the transition from 1.3 to 1.4. 1.4 had far too many rules commented out, and while this led to fewer false positives, it greatly contributed to more manual work because it missed a lot of things.

During my demo period HBGary updated Responder Pro from version 1.3 to version 1.4. The transition added interesting capabilities such as pulling out URL's from the memory dump as well as passwords. Harlan discussed this a bit while looking at one of my memory snapshot project images.

Memory analysis-wise Responder is right up there for commercial tools. I'd pretty much say it's the best around for the price point ($1000 for Field edition). It also integrates with Encase, which is nice for a lot of people.

And then there's the graphing for malware analysis. One of my colleagues summed it up accurately by calling it very 'seductive'. Now, graphing has been around a while for malware analysis. There's a difference though when it comes to using Responder. The difference is you don't have to screw around with the reindeer games that various packers use. When you're analyzing a memory dump of malware, you're seeing the unpacked malware and it makes for a very straightforward analysis. In more than one case I was able to do analysis in about an hour or so on something that would have otherwise taken a few hours. The ability to pull out a subroutine, and analyze it graphically and having the code available as well is a fantastic feature. Or, if you want to, you can begin by performing an analysis of a process, and looking at the strings. Then just pull the string you're interested in, in to the working canvas, and begin analysis on something that looks like it's of direct interest to you. That's what I was doing here. The bookmarking and layering made it almost photshop'esque. I only had to look at what was of interest and I could go back to it later. While analyzing virut.CF the bookmarking feature was very handy, especially when I discovered some Passthru driver configuration files intact while doing a graphical analysis. I won't get in to the differences between IDA pro and Responder Pro for analysis but I will say that I had a much faster time of doing analysis in Responder than in IDA, and I think the reason was due to using a memory dump rather than static binary analysis.

So that's enough talking about why I like the product. Case Study-wise I used Responder Pro to look at several poorly classified malware types during my demo. In the field I use Responder Pro to analyze several USB related malware variants that my other vendors called "downloader" or "trojan horse" or "SillyFDC". In a wave of compromises I didn't want any other tool for analysis. I reached for Responder Pro when I needed to do an analysis to determine scope and the REAL risk to data. I reached for Responder Pro when I needed to determine the capabilities of a few very nasty pieces of malware. Why? Because I needed accurate, actionable intel fast.

Just this evening I wanted to do an analysis of an InfoStealer variant I discovered in the wild. The tool I went for? Responder Pro. As I said though, my demo expired and I felt a bit lost. Gone was the quick analysis. Gone was the interface. I still have Volatility and Memoryze and they certainly have their strengths but I had gotten very used to using Responder. I still have the old tried and true tools around but it's a bit of a disappointment to go back to them.

The biggest issue I have is unfortunately not technical at all. It's price - which is currently the biggest concern for us. For $9000 I could license my entire team with IDA pro and train them all in Memoryze and Volatility.

Do I recommend the Responder family of products?

Absolutely. The products have a lot of strengths including time saving techniques and easy analysis and presentation of otherwise complex data sources. For many people in the industry Responder Field Edition is more than appropriate.

Responder Pro is an entirely different beast and to be frank I feel a little naked right now.