Tools
eEye Radar
Radar is an offshoot from our Blink Heuristic module work which uses a Patent Pending process for the purposes of analyzing binary files to determine if they are packed or encrypted and how they are packed or encrypted. That system uses a mixture of entropic analysis methodologies mixed with a Bayesian probability system. We have also developed this system to perform generic fuzzy analysis on binary data patterns. This system is far more simple but does the job well for a PoC example.
Radar is also an offshoot from work done outside of eEye on behalf of Hacktivismo for international censorship surmounting tools. It should be noted that while encryption is a crucial part of security, it is trivial to actually detect the usage of encryption on the wire. The basic application of entropic analysis formulas to data is an extremely trivial procedure. This means that the very usage of encrypted channels without steganography or other forms of inclusion can make your encrypted communication stand out in the crowd.
Another interesting point of Radar like technology is that most spyware - "commercial" or black hat trojans/rootkits - will eventually want to "phone home" in some way. Invariably, this communication will tend to be encrypted. Usually, this is the most delicate point for such malicious applications for discovery. That is, there are far fewer ways to hide such traffic, such as the passing of keylogs or passwords, then there are to hide the actual processes on the infected system. See the enclosed documentation for more details.
[Download]
Radar is also an offshoot from work done outside of eEye on behalf of Hacktivismo for international censorship surmounting tools. It should be noted that while encryption is a crucial part of security, it is trivial to actually detect the usage of encryption on the wire. The basic application of entropic analysis formulas to data is an extremely trivial procedure. This means that the very usage of encrypted channels without steganography or other forms of inclusion can make your encrypted communication stand out in the crowd.
Another interesting point of Radar like technology is that most spyware - "commercial" or black hat trojans/rootkits - will eventually want to "phone home" in some way. Invariably, this communication will tend to be encrypted. Usually, this is the most delicate point for such malicious applications for discovery. That is, there are far fewer ways to hide such traffic, such as the passing of keylogs or passwords, then there are to hide the actual processes on the infected system. See the enclosed documentation for more details.
[Download]
