CSE Releases Malware Analysis Tool

The Communications Security Establishment of Canada -- basically, Canada's version of the NSA -- has released a suite of malware analysis tools:

Assemblyline is described by CSE as akin to a conveyor belt: files go in, and a handful of small helper applications automatically comb through each one in search of malicious clues. On the way out, every file is given a score, which lets analysts sort old, familiar threats from the new and novel attacks that typically require a closer, more manual approach to analysis.

Posted on October 25, 2017 at 6:07 AM • 11 Comments

Comments

hmmOctober 25, 2017 6:19 AM

The possibility that CSE's own tool could be used to detect spy software of its own design, or that of its partners, is not lost upon the agency.

"Whatever it detects, whether it be cybercrime or [nation] states, or anybody else that are doing things — well that's a good thing, because it's made the community smarter in terms of defence," said Jones.

Nor does he believe that releasing Assemblyline to the public will make it easier for adversaries to harm the government, or understand how CSE hunts for threats — quite the opposite, in fact.

"We believe that the benefits far outweigh any risks and that we can still use this to be ahead of the threat that's out there."

We'll all be sure to download and run this, won't we?

I have nothing to hide, but what's the advertised upside here?

Scan your system for "anything" and send the results to an intelligence agency? Where do I sign?

Vesselin BontchevOctober 25, 2017 6:43 AM

It is not a "malware analysis tool", folks. It is a tool for deploying of virtual machines running other people's malware analysis tools - you know, like Kaspersky, McAfee, etc.

WaelOctober 25, 2017 8:21 AM

@Vesselin Bontchev,

It is not a "malware analysis tool", folks.

So I read the article from the Communications Security Establishment: https://www.cse-cst.gc.ca/en/assemblyline

It says nothing about virtual machines, although that maybe an implementation detail. It seems from the description that it comes with its own malware analysis and scoring technology. It can also be extended by other detection and prevention controls already used by users.

Haven’t downloaded the source code yet, so maybe you’re right. Good initiative...

bobugbubilzOctober 25, 2017 3:04 PM

@Wael: it doesn't depend on virtual machines, but it does no analysis of its own. What it is is a framework for high volume scanning/analysis of files. What analysis? Whatever you supply. Could be AV, run it in cuckoo, etc. What the framework provides is robust queues and tracking. (Yeah, I actually read the manual.)

So unless you are tapping at the backbone and analyzing all files that pass by you probably don't need it.

The rough equivalent for a large enterprise would be paying for a virus total API key, grabbing files off the wire via Bro and having them analyzed. This would get your broad spectrum AV analysis and cuckoo execution, but you'd have to build your own queuing and reporting mechanism. Which you are most likely better off doing than messing with this.

hmmOctober 25, 2017 5:59 PM

It does look pretty useful.

Designed by an intelligence agency and given away for free just makes me wonder why.

milkshakenOctober 25, 2017 11:21 PM

So does it catch malware from the Equation group?...

By the way, there is a pretty entertaining article about the Kaspersky-TAO/NSA fiasco in the Intercept.

Clive RobinsonOctober 26, 2017 11:32 AM

@ Josh,

Does anyone trust them enough to run this on their machine?

Trust as such in this case works the other way around.

The first person to discover a fault in it will these days make a name for themselves, plus give CSE a bit of a black eye.

Most SigInt agencies are starting to realise that their people are not the sharpest knives in the draw, as they can not offer what those that are sharper can easily demand without the security 13ull5h1t, which in effect makes them namless and thus tied in for a life of little or no reward.

But that aside you could run their software in a virtual machine to stop any hidden nasties doing things to your system. Plus it's quite likely sharp eyes will pull things apart and work out exactly not just how the algorithms work but also how they don't work.

People already write malware code that evades AV detection some of which uses a scoring system like this.

Thus I would expect the risk of use on code you or most app developers would write is low for not getting a reasonably accurate score.

However I'm confident that there are ways that it can be beaten as there are a lot of "Unknown knowns" and "Unknown unknows" yet to be found some of which this program will not see.

65535October 26, 2017 10:08 PM

@ Vesselin Bontchev

"It is not a "malware analysis tool", folks. It is a tool for deploying of virtual machines running other people's malware analysis tools - you know, like Kaspersky, McAfee, etc."

Yes, that is want I make of it. But, it may do some code sifting stuff itself.

@ Wael

It looks like it is made for virtual box or VMware [no bare metal version of it]. You spin up a VM with Ubuntu 16 to 17 and possibly use it with tools from GoSecure. I downloaded the zip file and the manual. It looks like it uses python or java... I did not spend a lot of time on it.

@ bobugbubilz

"...it doesn't depend on virtual machines, but it does no analysis of its own. What it is is a framework for high volume scanning/analysis of files. What analysis? Whatever you supply. Could be AV, run it in cuckoo, etc. What the framework provides is robust queues and tracking. (Yeah, I actually read the manual.)"

That is a good explanation. It looks to like it needs a VM to run on for various purporses. I did not see any Win products it runs on - althouth with Server 2016 you could probably do it.

But, I am very rusty with python. I would like a step-by-step example with screen shots. I can find a copy of VMware or virtual box and Ubuntu and give it a it a go - but I will need a lot of help. Anybody have a step-by-step guide? Could anybody point me to a blog working on this project [other than the CSE].

Finally, with the right tools it may discover State Sponsored malware... well old out of date stuff with signitures.

AnuraOctober 26, 2017 10:30 PM

It probably uses a VM so it can log the activity at the (virtual) hardware level, maybe compare disk images. VMs can also be used as a prophylactic.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.