Tuesday, May 1, 2012

Tools in the Toolbox Mandiant Red Curtian:

** Some how this missed it's cycle date.. not sure how I confused a 2011 date with 2013. I will be doing some more analysis with Red Curtain this summer with malware and scoring to see if I can better understand it. This is my Initial Review of the tool.. ** 

I have decided in order for me to understand my tools that I plan to utilize for DFIR I will need to research them and provide analysis of what I can conclude from them.  The first up is Mandiant’s Red Curtian.  While I am aware that there are other reviews out there, I felt with my background, and career focus some more light might be shed on them.

MANDIANT Red Curtain is free software for Incident Responders that assists with the analysis of malware. MRC examines executable files (e.g., .exe, .dll, and so on) to determine how suspicious they are based on a set of criteria. It examines multiple aspects of an executable, looking at things such as the entropy (in other words, randomness), indications of packing, compiler and packing signatures, the presence of digital signatures, and other characteristics to generate a threat "score." This score can be used to identify whether a set of files is worthy of further investigation.
The first impression of Red Curtain is favorable. The user interface is clean and well organized; there is not much to this application. You have the option to scan either a single file or a folder and all subfolders.

Lab Setup:
               
HP Elitebook,
                                Win 7, 8GB Ram, i5 Processor
Malware Being Analyzed: (Linked to Virus Total Results)
               
tlbinf3232.exe
               
mdhcp32.exe
Symantec Analysis:
               
Files Submitted
#
Filename
MD5
Determination
Signature Protection Name
RR Seq#
1
mdhcp32.exe
2FC9278067DC3BF99C964311B4796EA6
New Threat
125119
2
tlbinf3232.exe
2FC9278067DC3BF99C964311B4796EA6
New Threat
125119

Developer Notes:
mdhcp32.exe is a non-repairable threat. This file is contained in bad stuffs.zip.
tlbinf3232.exe is a non-repairable threat. This file is contained in bad stuffs.zip.


Mandiant Red Curtain Scan:
According to the following table, these items are typically not suspicious.


What I found most interesting is that a lot of my Incident Response Tools have a higher score then the malware tested against. The application Image Burn, and Unetbootin scored a Higher threat score (3.753+) then my malware did.


While I think that there is potential here, with my initial run of tests, relying on Red Curtain to alert me to a suspected piece of malware I would not advise.



Online Reviews:

No comments:

Post a Comment