Mandiants Free Tool Hunts for Malware

Mandiant's new freeware helps evaluate files from computer systems that may have been compromised.

Mandiant has released Mandiant Red Curtain, a free malware analysis tool aimed at helping security professionals evaluate files from potentially compromised computer systems.

MRC examines executable files to determine how suspicious they are and calculates an overall threat score to establish whether a set of files should be examined further. The tool is aimed at helping security professionals responding to an incident.

Dave Merkel, vice president of product development at Mandiant, said there are a few different ways to look for malware.

"You can run anti-virus, but that only finds the things you already know about. New strains of malware frequently defeat this kind of detection," Merkel said.

"When that happens, youre left with forensic analysis techniques to try and determine whats going on during a security incident. An incident responder needs tools that help identify things that are suspicious. Typically, tools that provide heuristic methods are the most useful when you dont know exactly what it is youre looking for. We often refer to this as finding evil. We help the investigator know it when they see it."

MRC looks at six categories of information to calculate a threat score. The first is entropy.

Merkel said that one of the fundamental properties of encrypted, compressed or obfuscated data is its entropy tends to be higher than that of structured data, such as user-generated documents and computer programs.

"A measure of entropy isnt a sure-fire method for identifying malware or the bad guys hidden data store," he said. "A valid user may have encrypted, or more commonly, compressed information stored on a computer system. However, looking at entropy does provide an excellent filter when you are faced with a multi-gigabyte data reduction problem."

The Mandiant tool also examines digital signatures to see whether an executable file is signed, and tries to identify which compiler generated an executable and whether or not a specific packer—tools used by hackers to hide malware—was on the file.

In addition, the tool identifies executable files that appear to have been modified, files with an excessive amount of imports and those with various combinations of permissions that indicate whether they can be read, written or contain executable code.

"The threat score tends to be a number between 0 and 2, though there is not a hard-coded upper bound," Merkel said.


Read here about which Web server delivers the most malware.

A score of 0.9-1.0 is considered "very interesting" and means there may be malicious files with deliberate attempts at obfuscation.

Legitimate files will sometimes have very high threat scores based on specific things a software vendor has done, Merkel added.

"MRC does a fairly technical analysis—trained experts will benefit the most from its features," he said. "However, even novice incident responders can use the concept of the threat score to quickly narrow the scope of a malware investigation."

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.