an incident response management services and solutions provider, released a free tool to
assist incident response teams with identifying malware

One technique that malware authors use to evade antivirus products is using packers and
crypters to compress and/or encrypt their malware. Since antivirus products primarily rely
on signatures to detect malware, the simple act of packing or encrypting a file can prevent it
from being detected.

When performing incident response, it is not uncommon to come upon unknown files that
aren't detected by the latest virus signatures. At that point, how do you know if a file is good
or bad? You could rule the suspicious file in a virtual machine and monitor its behavior, but
some malware is designed to detect virtual environments and act differently to mask its true
function. This is why Mandiant released Red Curtain.

Red Curtain scans files looking for characteristics that might indicate a packer or crypter
was used, and then produces an overall score based on those characteristics. One of the
more interesting things it searches for is entropy -- a measure of randomness which tends
to be higher in compressed and encrypted files

MRC examines executable files to establish how suspicious they are based on a set of criteria,
including review of multiple aspects of an executable, for things such as entropy (more on this
below), indications of packing, compiler and packing signatures, the presence of digital
signatures, and other characteristics used to generate a threat “score.” This score is then used
to determine whether files are worthy of further investigation

//////Entropy/////////////////

Shannon called his measure not only the entropy but also the “uncertainty. Suppose that
information ~ uncertainty,. BUT as a system gets more random, its entropy goes up, . How
could that be? Information is the very opposite of randomness! The confusion comes from
neglecting to do a subtraction: Information is always a measure of the decrease of uncertainty
so If we subscribe to the claim that “information is always a measure of the decrease of
uncertainty,” we will not only grasp the concept that drives MRC’s methodology, but one of
the underlying fundamentals of malware research, or for all intents and purposes, incident
handling in general. Eliminate uncertainty and we will be more readily able to build an
effective response.

////////////entropy2/////////////

The lowest entropy is calculated for a random variable that has a single event with
a probability of 1.0, a certainty. The largest entropy for a random variable will be if
all events are equally likely.
We therefore would expect the average information to be the same information for
a single event calculated in the previous section.

////// usage part //////////

Lab1-02 yellow ( One antivirus engine identifies it as a malicious downloader that downloads
additional malware)

Lab1-03 red

MRC implements a unique sliding-window method for determining the entropy of a file, which
makes it useful when analyzing a large block of data that may have small sections that have
highly random data, and are therefore potentially interesting to the investigator.

Then Red Curtain looks for valid Digital Signatures for the executable files, PE (portable
executables) Structure Anomalies, imports from other files on the system, and section
permissions of code that can be read or contain executable code.

Red Curtain considers all these code elements and then generates a threat score for potential
evilness.

0.0 - 0.7 - Typically not suspicious, at least in the context of properties that MRC analyzes.

0.7 - 0.9 - Somewhat interesting. May contain malicious files with some deliberate attempts
at obfuscation.

0.9 - 1.0 - Very interesting. May contain malicious files with deliberate attempts at
obfuscation.

1.0+ - Highly Interesting. Often contains malicious files with deliberate attempts at
obfuscation

Roaming Mode

I like "portable" applications I can run off a USB stick on a target machine and not have to
install. Especially in utilities, anti-malware tools, and incident response software.

So MANDIANT's developers provided a "portable" version of the tool as well which doesn't
require installation or even the .NET framework be present on the target machine.

PsExec is a light-weight telnet-replacement that lets you execute processes on

other systems, complete with full interactivity for console applications, without
having to manually install client software

This makes scanning and report collection of findings very simple.

Just open the Console version and select "File, New, Deploy Scanning Agent." Done.

This copies four required files into the specified folder.

To use the Roaming Mode agent, copy the folder to a USB device or the target workstation.

Then open Command Prompt window.

Usage:
mrcagent epcompsigs eppacksigs roamingsigs [[-r] <Dir> | <File>] <Output File>
where: -r is recurse through subdirectories [off by default]

Example:

D:\mrcagent>MRCAgent.exe epcompilersigs.dat eppackersigs.dat roamingsigs -r c:\windows\

system32 myoutput.xml

In this instance the Agent will collect an analysis of all directories and files within c:\
windows\system32 and store it within d:\mrcagent\myoutput.xml.

The Roaming Mode agent runs very fast as well and makes fairly short work of the folders.
Speed will vary depending on system performance and file/folder sizes.

When the creation of the file is done ,we collect the log file and examine away! Most
recommendly using the Red Curtain Console application to open and view the output xml file

/////final thoughts

So basically to use Red Curtain in an incident response it is preferably to :

1) always first isolate the system from the network (say by pulling the network cable).

2) I then like to run (from CD media) Process Explorer, Process Monitor, Autoruns, and

usually at least one utility to check open and listening network ports.

3) I would run the battery of anti-virus and anti-malware scanning utilities as well as

check the logs for any prior history of alerts from those enterprise-class anti-virus
applications we run "real-time" on our systems.

4) Assuming that all these have been passed, any anomalies noted and captured for review in
the lab, and any other issues dealt with then probably turn to a final check of the system
using Red Curtain.

5) Any highly-scored and red-tagged files well then it should likely be examined a bit more
closely for strings and other possible clues. Maybe do some Google work. Finally I would
ice the cake by uploading them to online scanners such as Jotti or Vtotal as well as Sunbelt
CWSandbox .