As is commonly known in the industry, and as evident from recent high-profile malware samples such as Stuxnet and Flame, malicious binaries are continuing to increase in complexity and grow in size. While a single analyst can statically reverse engineer a small downloader or dropper in a matter of minutes, it can take weeks or even months of man-hours to analyze a massive binary developed by a well-funded adversary. To streamline the reverse engineering process, CrowdStrike has developed CrowdRE, a platform that allows analysts around the world to perform collaborative reverse engineering. This post will focus on the CrowdRE plugin for IDA Pro, which allows analysts to leverage the power of the cloud to analyze a given binary.
We’ll demonstrate the functionality of CrowdRE on a malware sample from a Chinese-based intrusion set that we at CrowdStrike call “Comment Panda” (the group is also known in the industry as “Comment Team” or “Comment Group”). This adversary was responsible for the Shady RAT intrusions that were revealed by our co-founder and CTO Dmitri Alperovitch last year, and is known to encode Command-and-Control (C2) commands inside of HTML comment tags. In this CrowdStrike Services scenario, a customer finds this malware sample on their network and needs it analyzed immediately, so CrowdStrike assigns two analysts to concurrently reverse engineer the sample. Both analysts disassemble the sample in IDA on their own computers. The first analyst is told to focus on functions related to auto-start-execution-points (ASEPs) and cryptography, while the second analyst agrees to focus on functions related to network communications.
First Analyst’s Workflow
The first analyst notices a function that writes an entry into HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindows. He names the local stack variables, writes descriptive comments for the function, and names the function RegisterASEP():
He then finds what appears to be a numeric constant related to the generation of AES tables. Upon further investigation, the analyst determines that this malware in fact uses Gladman’s implementation of the AES/Rijndael decryption algorithm with a fixed 128-bit decryption key. As above, the analyst annotates the AES functions:
He then uploads his work to the CrowdRE cloud by pressing Ctrl-F2 to load the CrowdRE plugin, and then pressing the “Upload annotations…” button. This brings up a dialog of all the functions in the IDB, allowing the analyst to choose which functions’ annotations to upload to the CrowdRE cloud. The analyst chooses gen_tabs(), set_key(…), rEncrypt(…), rDecrypt(…), AESDecrypt(…), RegisterASEP(), and ConstructAesKey(…) (several of those function names based on the AES library code used by the malware), and presses “Upload annotations”:
Second Analyst’s Workflow
Meanwhile, the second analyst is busy at work. He spots two functions in the malware that call API functions such as HttpSendRequestA(…) and InternetReadFile(…). The analyst reviews the first function, names the local stack variables, makes some comments in the disassembly, and names the function DownloadFileFromWebServer():
He then analyzes the second function and finds that it downloads a file, appears to call a function to decrypt or deobfuscate the downloaded file, and saves the output to disk. This decryption/deobfuscation function is highlighted in yellow below:
Given that the first analyst was tasked with analyzing cryptographic functions, the second analyst now queries the CrowdRE cloud to see if any annotations are available for sub_404814(…). He navigates to sub_404814(…) in his IDB and presses Ctrl-F2 to bring up the CrowdRE Function History for that function:
The Function History pane above shows that the first analyst has already analyzed sub_404814(…) and submitted annotations for it twice, with the most recent one showing that the input arguments to the function are actually pointers, not ints. This Function History pane can be moved around like any other IDA window pane — it can be docked into a chosen location in IDA, or dropped into IDA’s window tab bar to create a new tab, or even popped out into its own floating window. Whenever the user navigates to a different function in IDA’s disassembly view, the pane’s content is automatically updated to show the Function History of the current function being analyzed.
The second analyst can simply double-click on the annotation of his choice (or press “Import annotation…”) to see the details of what was previously uploaded for this function:
In the Download Annotations window above, the second analyst can now choose what to import from the CrowdRE cloud, such as the function’s name and prototype, comments, stack variable names and types, and register variable names and types. Notice that not only are the standard variable types available, but even the user-defined variable types are found in the cloud and can be imported into the second analyst’s IDB. When the first analyst uploaded his annotations to the CrowdRE cloud, the plugin detected that he had created and was using user-defined structs such as GAesKey and uploaded those struct definitions to the cloud automatically during the annotation upload. In fact, the plugin recursively uploads all dependencies of every variable type used in an uploaded function.
Once the desired options are checked and “Import” is pressed, the changes are applied to the second analyst’s IDB:
However, as can be seen above, there are several other functions remaining for analysis, so the second analyst decides to do a batch import of annotations for multiple functions in his IDB. He presses the “Batch import annotations…” button to see what’s available from the CrowdRE cloud for all of the functions in his IDB:
When performing a batch import, the most recent annotations for each checked function are imported into the user’s IDB. To cherry-pick specific annotations from a function’s history of all uploaded annotations, the user can follow the previous steps above of navigating to a specific function in the IDB to see every uploaded annotation in that function’s history in the Function History window pane.
In this case, the second analyst sees that the most recent annotations are all from the first analyst, and since he’s a trusted source, the second analyst simply imports all functions from the CrowdRE cloud that were previously analyzed and uploaded by the first analyst. (Note in the screenshot above that AesDecrypt(…) is the current name of the function at 0x00404814 since its annotations were imported in the steps above.)
Now the second analyst can continue reverse engineering this malware with the first analyst’s function annotations propagated throughout the second analyst’s IDB.
Although still pre-beta, CrowdRE has some other great features as well, such as fuzzy-matching of functions (for matching functions across different variants of a given malware family for malware analysis, or matching functions between an older version and a newer version of the same DLL for vulnerability analysis) and type conflict resolution.
We’re very excited about the new features that we’re developing and looking to share with the community soon, such as support for Linux and Mac OS, social ratings of other users’ annotations in the cloud (so you can see what other people think is reliable), access control lists (to allow only specific people to see your annotations), better fuzzy matching of functions, and much more!
If you have any questions or feature requests, we’d love to hear from you! You can e-mail us at firstname.lastname@example.org.
P.S. The functions discussed above are already in the CrowdRE cloud, so if you come across a Comment Panda variant, you’ll be able to use the CrowdRE IDA plugin to import the annotations above via fuzzy matching functionality!