Don’t Cross the Streams

I had an experience a couple of weeks ago where I was reminded about the difference between speed and efficiency. This post will serve as my mea culpa.

I was in the middle of an intense analysis session of some complex malware when I was notified of a brand new piece of malware that needed to be analyzed immediately.  As I went through the process of acquiring it, my boss approached, pulled up a chair, and asked how long before we knew anything.  On the earlier case, I had just reverted my lab VM to a validated base to some kernel level debugging of the samples.  I had only moved in the samples that I needed, but had not begun the analysis. No other activity had taken place in this lab VM.  Instead of taking the time to snapshot the lab’s current state, revert to my base, and analyze the new sample in a clean and validated environment, I just moved the new sample in.  I intended to get some quick static analysis done to decide how much time and what priority this new sample would need.  Then but for one click I could have been a hero. :)

I started my analysis by grabbing PE info and sending the sample into a hex editor.  This is accomplished with a right click context menu item.  I right clicked on the wrong sample and instantly started seeing similarities to the earlier case which I had dozens of hours in already.  I announced this linkage and that false intelligence lived for about 90 seconds. The skeptic in me realized the presence of the previous case’s sample in my analysis folder had to be excluded.  I quickly noted my mistake and announced it, but some damage had already been done.  No big bells or whistles had gone off, but our unit had already begun to emotionally ramp of for the response needed if this new malware was connected to the case I was working on.

After getting the genie back in the bottle, I built the lab correctly.  I blew away the lab VM, reverted to a validated clean base, moved in the new sample, and within 10 minutes had a decent  analysis done.  It was enough to let the rest of the team start hunting and to identify the malware as being a polymorphic variant of a known malware family.  That made further analysis beyond indicator collection low priority and I went back to my earlier case.

So to save the 5 minutes (max) that it would have taken to take a snapshot and then revert to the validated base image of the lab, I risked spinning our response unit up to full throttle in error and possibly harming our image with executives due to generating a false lead.  That is definitely not worth 5 minutes.

For those that don’t get the title: http://www.youtube.com/watch?v=jyaLZHiJJnE

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>