The Defense Cyber Crime Center (DC3) released the DC3 Malware Configuration Parser (DC3-MWCP) framework to the open source community on May 6, 2015.
The DC3-MWCP framework provides a structure for malware reverse engineers to easily codify knowledge of where important configuration data are hidden within malicious files. This codified knowledge can be leveraged in future analyses to quickly extract valuable configuration information.
With DC3-MWCP, a tool development process that could previously take weeks may be shortened to just days.
A given piece of malware can be authored by one entity, and then reconfigured and used by other groups. Before launching an attack with the malware, a hacker customizes configuration settings within the malware, much like the user of a home PC customizes preferences. The hacker might select options for the Command and Control (C2) server, the time the malware should sleep before executing, or notes about the malware’s purpose. These customized configuration details are embedded and obfuscated within the malware files.
Malware reverse engineers work to locate this information within the files to provide valuable indicators to cyber analysts. In addition, malware analysts often create a script to automatically extract this configuration data. Each script is unique with its own run commands, output format, and naming scheme.
DC3-MWCP standardizes these aspects of a configuration parser, providing a single interface for running and receiving responses, as well as easing the creation of new parsers. The framework can be accessed as a standalone utility, through a REST API, or Python API. This flexibility allows any configuration parser to be immediately used and incorporated into any organization’s workflow.
Prior to the creation of DC3-MWCP, the process of creating a new configuration parser and integrating it into DC3’s automation system took between four and six weeks. With the advent of DC3-MWCP, this process is shortened to as little as one to two days. Malware reverse engineers can quickly create, test, and deploy a parser into DC3’s system. The release of DC3-MWCP provides new capabilities for the malware analysis community, and creates a new standard to improve the sharing of tools among community members.
DC3-MWCP is available for download at https://github.com/Defense-Cyber-Crime-Center/DC3-MWCP.
DC3 has a history of supporting the digital forensics community. The widely used Dc3dd was open sourced in 2008 with the latest release for 64-bit versions of Windows posted on March 3, 2015.
Established as an entity within the Department of the Air Force in 1998, DC3 provides digital and multimedia (D/MM) forensics, cyber investigative training, technical solutions development, and cyber analytics for the following DoD mission areas: information assurance (IA) and critical infrastructure protection (CIP), law enforcement and counterintelligence (LE/CI), document and media exploitation (DOMEX), and counterterrorism (CT). For more information, visit www.dc3.mil.
