APPROVED FOR PUBLIC RELEASE, DISTRIBUTION UNLIMITED The File Disinfection Framework aims to improve and automate security analysts’ ability to remove increasingly sophisticated polymorphic malware.
ReversingLabs, the global leader in static malware analysis tools and services, announced today that it has received a DARPA Cyber Fast Track contract (http://cft.usma.edu/) to build a software framework to accelerate the development of disinfection tools for the latest file infecting and polymorphic malware attacks. File Disinfection Framework (FDF) will be an open source project that implements an advanced virtual machine for polymorphic malware disinfection. It will seek to enable dynamic binary analysis on top of a static analysis framework by giving developers full control over detection, disinfection and repair of affected files.
“Disinfection routines like generic unpackers or generic behavioral signatures often cannot disinfect serious polymorphic file infectors such as Sality and Virut,” said Mario Vuksan, CEO of ReversingLabs. “FDF will aim to simplify and speed development of the targeted routines required to disinfect these attacks and prevent frequent re-infection due to the usage of poorly written or generic disinfection routines.”
The DARPA Cyber Fast Track program is designed to fund security research whose output is likely to directly benefit the computer security research community at large.
If successful, FDF will enable experienced professionals to quickly and easily develop highly complex disinfection modules, thus improving their response times and reducing the need for wholesale system re-imaging, which has become the core task for many security professionals. It would also allow junior analysts to participate and build more sophisticated analysis, decomposition, disinfection and binary repair solutions on their own.
Consolidation of basic reversing building blocks for the manipulation of PE content reduces the need of individual practitioners to manage their own (or their organization’s) legacy code. This increases productivity, reduces response time and enables better insight to attacking code. As an open source project, FDF will benefit from community feedback and contributions. This will promote low cost solutions that serve a broad community of practitioners and use case scenarios. FDF will leverage TitanEngine, a powerful open source library for dynamic and static manipulation of executable code. FDF will consist of the following five key components:
- Advanced Virtual Machine for polymorphic malware disinfection
- APIs for automated file repair
- Dynamic disinfection APIs
- Static disinfection APIs
- Sample applications and documentation
ReversingLabs anticipates that FDF will be available in Q3 2012.
Note: The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.