CrowdStrike announced on Aug. 21 that it is bringing its Falcon MalQuery malware search engine technology to the Hybrid Analysis community.
With MalQuery, the goal is to enable anyone using the community’s Hybrid Analysis web portal to easily conduct complex searches using Yara (Yet another recursive acronym) rules and string searches. With Yara searches, researchers can look for and identify patterns that can help with malware analysis as well as attribution. Hybrid Analysis, is a free service and an online portal that provides automated malware analysis.
“This is a gift of use of Falcon MalQuery, CrowdStrike’s malware search engine technology, to the Hybrid Analysis community website to rapidly search their public malware collection,” Dmitri Alperovitch, CrowdStrike CTO told eWEEK.
CrowdStrike originally announced its MalQuery technology in July 2017 as part of the company’s Falcon endpoint protection platform. Hybrid Security is a web portal that is operated by Payload Security, which is a company that CrowdStrike acquired in November 2017. Alperovitch said that Hybrid Analysis continues to be a public community website that is supported by CrowdStrike.
“Payload Security built the sandbox technology that powered Hybrid Analysis,” Alperovitch said. “That technology has now been incorporated into CrowdStrike Falcon platform as part of the Falcon X that CrowdStrike launched this past spring.”
In a video interview with eWEEK in May 2018, Alperovitch explained that Falcon X aims to simplify the cyber-security analysis workflow with automation elements.
Hybrid Analysis
Though MalQuery is also a module for CrowdStrike’s commercial Falcon platform, the searches that will be conducted on Hybrid Analysis will only search the malware collection that is in Hybrid Analysis. Alperovitch noted that the MalQuery instance on Hybrid Analysis is separate from the malware database that CrowdStrike’s Falcon platform customers access.
“Hybrid Analysis will now offer free public Yara rule and string searches to nearly instantly find malware samples that had been uploaded to Hybrid Analysis and download them and dynamic analysis related to them,” he said.
In the commercial Falcon platform, CrowdStrike integrated MalQuery with its Threat Graph technology to map the correlation of malware with detected threats. Alperovitch said that currently there is no integration of CrowdStrike’s Threat Graph with Hybrid Analysis, but that is something that is being considered for the future.
The addition of MalQuery to Hybrid Analysis isn’t the first time that CrowdStrike has extended its commercial technology to the free community site. Alperovitch noted that Hybrid Analysis also makes use of the Falcon Sandbox as well as the Falcon Machine Learning engine.
Furthermore Hybrid Analysis isn’t the only free online portal that enables researchers and organizations to analyze files for potential malware. The Google-owned VirusTotal site is another popular option for malware analysis and it’s a service that CrowdStrike also supports. Alperovitch said that both VirusTotal and Hybrid Analysis are public services that people use for different purposes. Virus Total is often used to identify whether a given piece of malware is detected by various anti-virus security engines.
“Hybrid Analysis focuses on providing comprehensive dynamic behavioral analysis on what the malware is doing and [provides] free access to malware samples to vetted researchers,” Alperovitch said. “It now provides a unique capability to do instant Yara searches across a large repository of malware.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.