1. Company Overview

2. HBGary Background Built with Government Services & Grants
Founded in 2003 (6 years old)
Built with Government Services & Grants
No outside funding
Solutions:
Digital DNA to detect Malicious Code
Leader in Memory Forensics
Advanced Malware Threat Assessment
Services & Training
Offensive Aspects of Malicious Software
Software Exploitation and Tooling
“Rapid Response” Malware Assessment 2

3. Strategic Partners
McAfee
Guidance Software (Encase)
Agilex

4. Air Force Research Labs Dept Homeland Security (HSARPA)
HBGary R&D Funding
Air Force Research Labs
Next Generation Software Reverse Engineering Tools (Phases I and II)
Kernel Virtual Machine Host Analyzer (Phases I and II)
Virtual Machine Debugger (Phase I)
Dept Homeland Security (HSARPA)
Botnet Detection and Mitigation (Phases I and II)
H/W Assisted System Security Monitor (Phases I and II)
Subcontractor to AFCO Systems Development
Small Business Innovative Research (SBIR) Program 4

5. HBGary has grown into a full product company:
DoD ,500 Nodes
Civilian Agencies 31,000 Nodes
Government Contractors &
Consulting Customers
Fortune Customers *
Foreign Governments 15 Customers
Universities &
Law Enforcement 16 Customers
* Multiple site license discussions in the pipeline

6. Responder Field Edition
Stand Alone
Enterprise
Memory Forensics
Responder Field Edition
Integrated with EnCase Enterprise (Guidance)
Enterprise Malware Detection
Digital DNA for ePO (HBSS)
Active Defense (Q1)
Response
Responder Professional
w/ Digital DNA
Intrinsic to all Enterprise products
Policy Enforcement and Mitigation
Integrated with Verdasys Digital Guardian

7. Why HBGary is Better Forensic Quality Approach
Analysis is done 100% offline using 2+ years of parsing technology developed under USAF grant
Host-centric “Windows without relying on Windows” RAM analysis
Digital DNA™ detects zero-day threats
5+ years of reverse engineering technology developed for multiple govt. agencies
AUTOMATED !

8. Why HBGary is Better
Physical memory is “Windows without Windows”- it exposes everything about the OS without actually using a potentially subverted OS.
Automatic decompilation of every software object exposes true software behaviors – this is not a signature. This catches unknown malware with no prior knowledge. A few traits will detect a great many variants, so it scales.

9. Under the hood
These images show the volume of decompiled information produced by the DDNA engine. Both malware use stealth to hide on the system. To DDNA, they read like an open book.

10. Benefits = Better cyber defense
Enterprise detection of zero-day threats
Lowers the skill required for actionable response
What files, keys, and methods used for infection
What URL’s, addresses, protocols, ports
“At a glance” threat assessment
What does it steal? Keystrokes? Bank Information? Word documents and powerpoints?
= Better cyber defense

11. Today’s Cybercrime Problem
There is a lot worth stealing
Information is 100% digital and exposed
Identities are digital
Attackers are motivated and well-funded
Funded Criminal and State-sponsored
Malware is sophisticated and targeted
Existing security isn’t stopping the attacks

12. Anti-virus Shortcomings
Source: “Eighty percent of new malware defeats antivirus”, ZDNet Australia, July 19, 2006
Top 3 AV companies don’t detect 80% of new malware
The sheer volume and complexity of computer viruses being released on the Internet today has the anti-virus industry on the defensive, experts say, underscoring the need for consumers to avoid relying on anti-virus software alone to keep their…computers safe and secure.
Source: “Anti-Virus Firms Scrambling to Keep Up ”, The Washington Post, March 19, 2008 12

13. Digital DNA™

14. Ranking Software Modules by Threat Severity Software Behavioral Traits
Digital DNA
Ranking Software Modules by Threat Severity
0B 8A C2 05 0F F B ED C D
8A C2
0F 51
0F 64
Software Behavioral Traits

15. 5,000 Malware every 24 hours is sequenced

16. Over 5,000 Traits are categorized into Factor, Group, and Subgroup.
This is our “Genome”

17. B[00 24 73 ??]k ANDS[>004] C”QueueAPC”{arg0:0A,arg}
What’s in a Trait?
04 0F 51
B[ ??]k ANDS[>004] C”QueueAPC”{arg0:0A,arg}
The rule is a specified like a regular expression, it matches against automatically reverse engineered details and contains boolean logic. These rules are considered intellectual property and not shown to the user.
Unique hash code
Weight / Control flags
The trait, description, and underlying rule are held in a database

18. DDNA Sequence Weighting
D6 F7 07 CD E A8 F1 02 FB B 02 7C 9A 02 AC CF 00 9F…
This is a series of 3 octet trait codes
Each trait can have a weight from -15 to +15.
+ means suspicious
– means trusted
The entire sequence is weighted by summing the weights of each trait.
Discrete weight decay algorithm
The summing of weights is performed using an algorithm known as the
This algorithm will decay the effects of a repeated weight value over time.
+40 points or more in weight = Suspicious or potentially “Evil”

19. Why Digital DNA?
Detect Malware regardless of how it was packaged or compiled
Does the same things = same malware
Detect variants across the Enterprise
Digital DNA is FUZZY!
It tells you what the threat is!
Traits are categorized and have descriptions
It really can’t get any easier than this

20. How Digital DNA goes beyond MD5 Checksums
In memory, once executing, a file is represented in a new way that cannot be easily be back referenced to a file checksum
Digital DNA™ does not change, even if the underlying file does
Digital DNA is calculated from what the software DOES (it’s behavior), not how it was compiled or packaged

21. In memory, traditional checksums don’t work
DISK FILE
IN MEMORY IMAGE
100% dynamic
Copied in full
Copied in part
OS Loader
In memory, traditional checksums don’t work
MD5 Checksum
is not consistent
Digital DNA remains consistent
MD5 Checksum
reliable

22. Whitelisting on disk doesn’t prevent malware from being in memory
Internet Document
PDF, Active X, Flash
Office Document, Video, etc…
DISK FILE
IN MEMORY IMAGE
Public Attack-kits have used memory-only injection for
over 5 years
OS Loader
Whitelisting on disk doesn’t prevent malware from being in memory
MD5 Checksum
is whitelisted
Whitelisted code does not mean secure code
Process is trusted

23. Same malware compiled in three different ways
DISK FILE
IN MEMORY IMAGE
Same malware compiled in three different ways
OS Loader
MD5 Checksums
all different
Digital DNA remains consistent

24. Digital DNA defeats packers
IN MEMORY IMAGE
Packer #1
Packer #2
Decrypted
Original
OS Loader
Digital DNA defeats packers
Starting Malware
Packed
Malware
Digital DNA remains consistent

25. Digital DNA detects toolkits
IN MEMORY IMAGE
OS Loader
Digital DNA detects toolkits
Malware
Tookit
Different
Malware
Authors
Using
Same Toolkit
Toolkit DNA Detected
Packed

26. Digital DNA Screenshot

27. Threat Assessment Engines
Integration with McAfee ePO
Shipping
Next Year
Threat Assessment Engines
HBGary Portal
ePO Console
Responder
Workstation
ePO
Server
ePO
Agents
(Endpoints)
Schedule
HBGary
Evidence
Processor (Q1)
SQL
Events
HBG Extension
HBG WPMA
WPMA = Windows Physical Memory Analysis

29. Fuzzy Search

31. New: REcon

32. REcon
Records the entire lifecycle of a software program, from first instruction to the last.
It records data samples at every step, including arguments to functions and pointers to
objects.
Offline physical memory analysis:
Rebuilding windows without windows
All physical to virtual address translations