How to Use CrowdStrike Falcon MalQuery
Falcon MalQuery is an advanced, cloud-based malware research tool designed to enable security professionals and threat researchers to search a massive collection of malware samples with speed and efficiency. At the core of Falcon MalQuery is a massive, multi-year collection of malware samples that is uniquely indexed for rapid search.
READY TO LEARN MORE?
CrowdStrike Falcon MalQuery – The faster, more complete malware search engine
Today, I would like to show you how powerful CrowdStrike’s new Falcon MalQuery search engine is. Here are a couple of quick facts to explain what you’re about to see. Falcon MalQuery consists of a gigantic collection of malware files– over 560 terabytes today. We collected this malware over the last five years, and we collect many more samples every day.
We then use our proprietary indexing technology to make all of that data accessible and searchable. While other malware repositories limit you to hash or tag searches, Falcon MalQuery allows you to search inside of each and every file in our archive. You can search for strings as well as binary sequences, and even complex YARA rules. And the best part, results don’t take hours or days to come back. They take mere seconds or minutes.
OK, let’s get started and look at three different use cases out of the life of a typical malware researcher. The first one is a tricky one. A computer, not protected by CrowdStrike Falcon, get’s compromised with the recent NotPetya malware. The machine is fully encrypted and locked up. All we can see is the ransom note on the screen.
If you were handed this machine and tasked with finding out what happened, where would you start? Well, our malware researcher is at luck. With access to Falcon MalQuery, he can start his investigation by picking some unique-looking text out of the ransom note. In this case, let’s go with the bitcoin wallet ID. In Falcon MalQuery, I can perform simple searches across all of the malware that CrowdStrike has indexed. By simply selecting ASCII and then pasting or typing our bitcoin wallet ID, I can kick off my search. Within a few seconds, I get results back. That means within our archives, there are files that contain the bitcoin wallet ID we searched for. Some of them are HTML files and less interesting. But some of them are PE or executable files, and very interesting to me.
We can also see that these files have been seen between June and July 2017, so very recent. Let’s download one and take a closer look. There are many ways to dissect a piece of malware. To keep it simple in this demo, I will just run the Strings tool to extract all readable characters from the file. At the bottom, we can see some Microsoft certificates that have been used to make the file look like it has been signed, and then we can see more of the ransom note in plain text.
Let’s see if this ransom text has been used in other malware before. The text Destroy all of your data seems interesting. Let’s copy that and switch back over to Falcon MalQuery. We’re going to pick ASCII again, and then search for this ransom note term. A few seconds later, we get a list of executable files that all contain the same text.
Sorting by date, we can see that this time, the older sample is from March 2016, over a year ago. Looks like this is not brand-new malware, but another variant of malware that has been discovered over a year ago. Let me ask you this, how many of your tools let you search this far back today? Most malware search engines are limited to 90 days of data, because they lack the ability to index, store, and make available all this information. Only Falcon MalQuery can give you better, faster, and more complete results.
OK, let’s look at another example. So far we’ve been focused on string searches inside of binary files. But what if you want to look for binary or hex values in these files? Not a problem, Falcon MalQuery allows you to do that as well. In our scenario, we’re working with a binary signature that was given to our malware researcher. He needs to find out where this came from, and preferably, who it came from.
You’ll see how quick Falcon MalQuery found the results for this binary search. We can see that this file is from 2016. It’s a Java file. And even better, because CrowdStrike also offers threat intelligence services that can attribute certain files to the adversary or actor that created them, we can see that this particular file was created by a Russian adversary called Fancy Bear. A quick click on the link gets you over to the full actor profile and any associated reports with this actor.
OK, one more use case to go over, and this is a big one. Ask any malware researcher about the joys of developing YARA rules. I bet they’ve got some stories to tell. In general, it goes like this. You investigate a piece of malware, you find related samples, and you study them as well. And after a while, you come up with some kind of unique string or bite sequence that should identify the file or family.
That takes time, and in the end, the biggest challenge is the validation. You have to make sure that the YARA rule only catches what it’s supposed to catch, and doesn’t cause a bunch of false positives. A lot of that process relies on help from fellow researchers, and there are a few tools out there that allow you to run your rules against the repositories.
But they are slow– painfully slow, to the point where it can take days before you get the results back. Not so with Falcon MalQuery and its YARA rule hunting capability. Let’s look at a quick example here. I got a rule to catch Petya malware. It took me a few hours to put this together, and now I’m ready to test it. I will let this search go on in real time. And this might take a couple of seconds. But I want you to see how quick this really is.
Within seconds, I get results back, and they’re not looking great. First, we can see that I got 1,164 matches with my rule. That’s way too many results. Falcon MalQuery is also helping me in identifying my flawed YARA rule by showing me a yellow warning bar at the top. This indicates that my rule was way too broad and caught too many results.
The fix to my example rule is simple. Just limit the file size to less than 1 megabyte. Right in the Falcon MalQuery interface, I can edit my YARA rule and run the search again. And voila, my search results come back even faster than before. While this is a very simple example, you can already see how this can change your development and validation of YARA rules tremendously.
OK, let me summarize quickly. I showed you how CrowdStrike’s new malware search engine Falcon MalQuery lets you search a huge repository of malware. You can go back over five years, and it is crazy fast. Thank you for watching, and please visit us at CrowdStrike.com.
For technical information on installation, policy configuration and more, please visit the CrowdStrike Tech Center.Visit the Tech Center