2012-06-22 ReversingLabs Receives DARPA Contract to Develop File Disinfection Framework
Approved for Public Release, Distribution Unlimited
The File Disinfection Framework aims to improve and automate security analysts’ ability to remove increasingly sophisticated polymorphic malware.
June 22, 2012 - Cambridge, MA – ReversingLabs, the global leader in static malware analysis tools and services, announced today that it has received a DARPA Cyber Fast Track contract (http://cft.usma.edu/) to build a software framework to accelerate the development of disinfection tools for the latest file infecting and polymorphic malware attacks. File Disinfection Framework (FDF) will be an open source project that implements an advanced virtual machine for polymorphic malware disinfection. It will seek to enable dynamic binary analysis on top of a static analysis framework by giving developers full control over detection, disinfection and repair of affected files.
“Disinfection routines like generic unpackers or generic behavioral signatures often cannot disinfect serious polymorphic file infectors such as Sality and Virut,” said Mario Vuksan, CEO of ReversingLabs. “FDF will aim to simplify and speed development of the targeted routines required to disinfect these attacks and prevent frequent re-infection due to the usage of poorly written or generic disinfection routines.”
The DARPA Cyber Fast Track program is designed to fund security research whose output is likely to directly benefit the computer security research community at large.
If successful, FDF will enable experienced professionals to quickly and easily develop highly complex disinfection modules, thus improving their response times and reducing the need for wholesale system re-imaging, which has become the core task for many security professionals. It would also allow junior analysts to participate and build more sophisticated analysis, decomposition, disinfection and binary repair solutions on their own.
Consolidation of basic reversing building blocks for the manipulation of PE content reduces the need of individual practitioners to manage their own (or their organization’s) legacy code. This increases productivity, reduces response time and enables better insight to attacking code. As an open source project, FDF will benefit from community feedback and contributions. This will promote low cost solutions that serve a broad community of practitioners and use case scenarios. FDF will leverage TitanEngine, a powerful open source library for dynamic and static manipulation of executable code. FDF will consist of the following five key components:
- Advanced Virtual Machine for polymorphic malware disinfection
- APIs for automated file repair
- Dynamic disinfection APIs
- Static disinfection APIs
- Sample applications and documentation
ReversingLabs anticipates that FDF will be available in Q3 2012.
Note: The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.
ReversingLabs develops analysis tools that enable security professionals to detect malicious code and hidden content in unknown files from computers and mobile devices. TitaniumCore, the company’s award winning file analysis platform, removes all protection and obfuscation artifacts, unwraps formatting elements and extracts relevant meta-data. The Titanium web service enables the comparison of samples against analysis reports on billions of Goodware and Malware files. Binary content normally not identified by whitelist, blacklist and sandbox tools can thus be analyzed and classified. These tools provide the fastest and most comprehensive solutions for decomposing and extracting data from unknown binary files.
The company's global customers come from a number of sectors including antivirus vendors, government agencies and commercial enterprises. ReversingLabs is privately held with employees in the United States, Croatia and Switzerland. For more information, visit http://www.reversinglabs.com or call +1 617-250-7518.
+1 (617) 250-7518