Jump to Content
Threat Intelligence

Improving FLARE’s Malware Analysis Tools at Google Summer of Code 2023

November 30, 2023
Mandiant

Written by: Mike Hunhoff, Moritz Raabe, Willi Ballenthin, Tina Johnson


This summer marked the FLARE team’s first year participating in Google Summer of Code (GSoC). GSoC is a global online mentoring program focused on introducing new contributors to open source software development. GSoC contributors work with mentors to complete 12+ week projects that support open source organizations. During 2023 FLARE was accepted into GSoC and had the privilege of working with four contributors.

FLARE is a team of reverse engineers and researchers who specialize in malware analysis, exploit analysis, and malware training. FLARE develops, maintains, and publishes various open-source tools to improve binary analysis.

Each of our 2023 GSoC contributors’ projects added new features to FLARE’s open source malware analysis tooling. This blog post kicks off a series of blog posts with the goal of introducing you to our contributors and their projects.

Here is an overview of the FLARE 2023 GSoC projects:

https://storage.googleapis.com/gweb-cloudblog-publish/images/fakenet-icon_zzbq.max-200x200.png
Tool: FakeNet-NG redirects and intercepts network traffic.
 
GSoC Project: Beleswar Prasad Padhi developed an HTML interface for FakeNet-NG that displays network indicators in an analyst-friendly way.
https://storage.googleapis.com/gweb-cloudblog-publish/images/FLOSS-LOGO_mumi.max-1400x1400.png
Tool: FLOSS extracts and deobfuscates strings from programs.
 
GSoC Project: Arnav Kharbanda extended FLOSS to extract language-specific strings from Go and Rust programs.
https://storage.googleapis.com/gweb-cloudblog-publish/images/capa-icon_msas.max-500x500.png
Tool: capa identifies capabilities in programs.
 
GSoC Project: Colton Gabertan integrated capa with Ghidra, the NSA’s open source reverse engineering tool.
GSoC Project: Yacine Elhamer extended capa to identify capabilities in dynamic sandbox traces, specifically for the CAPE sandbox.

GSoC Contributor Introductions

We asked our 2023 GSoC contributors to introduce themselves and answer a few questions related to their experiences this summer. Before they answer in their own words, we’d like to acknowledge the great work each and everyone did. It was a pleasure collaborating, discussing, and advancing the projects. We learned a lot from this program and look forward to similar experiences in the future.

Beleswar Prasad Padhi

I am Beleswar, a final-year Computer Science undergraduate based in India. My primary field of interest is cyber security and software development. I am an open source enthusiast and firmly believe that contributing to open source software shapes the world of software. I frequently participate in Capture The Flag (CTF) competitions to take on security challenges for fun. I have been using Linux as my main system for the past three years (I use Arch). I aspire to pursue my career as a software engineer.

How did you learn about GSoC and about FLARE?

I learned about GSoC through one of my acquaintances who has been working in the software industry. After reading about GSoC and hearing about past contributors' experiences, I felt motivated to apply for the program. Since I was particularly interested in projects in the security domain, FLARE caught my attention as a pioneer in reverse engineering. I started researching FLARE projects and became excited about contributing to them, thus deciding to apply for FLARE.

What motivated you to apply to your selected project?

My project involved working with FakeNet-NG, a network analysis tool. I had significant experience with the tech stack required for my project. Then I began exploring the FakeNet-NG tool, and this motivated me to contribute code to a tool widely utilized for malware analysis purposes. I was particularly impressed by the project scope, which aimed to simplify the work of malware analysts by generating a summarized report of the network-based indicators captured during FakeNet-NG sessions.

What were some challenges that you had to overcome?

Coming up with initial solutions for issues can be sufficient, but the real challenge lies in devising optimal solutions. To achieve that, I had to delve deep into networking protocols and advanced coding concepts in Python, such as callbacks, abstraction, and mixins. Another challenge I faced was balancing academics at my university with working on the project. To tackle this, I developed a time management plan to effectively learn new concepts while maintaining my academics.

What did you learn from this experience?

This project introduced me to network programming and systems programming in depth. It taught me to receive code reviews and feedback positively and work on them diligently. I got familiarized with the project's coding practices, such as object-oriented programming, code styles, linting, etc. Additionally, I have also developed many soft skills, like communication, time management, task scheduling, and progress tracking.

What advice do you have for future GSoC contributors?

Remaining open to "learning on the fly" is vital for tackling project challenges that arise. Communication is essential. Keep your mentor updated on your progress and discuss any roadblocks you encounter. Don't hesitate to request debugging sessions, it can provide new perspectives on problem-solving. Engage in brainstorming for solutions and seek feedback to improve your work. GSoC's greatest privilege is having a dedicated, experienced mentor. Make the most out of it.

Arnav Kharbanda

Hey, I'm Arnav Kharbanda, currently a junior in Computer Science at IIT Ropar, India. I started my journey over five years ago with a keen passion for making secure systems and contributing to open source software by solving problems that benefit society. I also love playing soccer, going on long treks, and participating in CTF competitions.

How did you learn about GSoC and about FLARE?

I learned about it from my friend and classmate, Shobhit, with whom I have frequently collaborated on cybersecurity initiatives and participated in CTF competitions.

What motivated you to apply to your selected project?

The convergence of my passion for cybersecurity, active engagement in CTF competitions, and a growing excitement for delving into the world of open source technology were the main driving forces behind my decision to apply for this specific project.

What were some challenges that you had to overcome?

Initially, wrestling with my own laziness was like trying to convince a cat to take a bath. Although I had some experience with CTF competitions, I had limited knowledge about reverse engineering. As I progressed, I also faced other hurdles, like managing intricate merge conflicts and setting up Continuous Integration (CI) tests.

What did you learn from this experience?

Besides learning about coding aspects such as coding style, CI testing, Docker, and optimizing Python code, I also improved my communication skills.

What advice do you have for future GSoC contributors?

Just dive in. Get involved in what you love. Take the first step and get started.

Colton Gabertan

I'm Colton Gabertan, a senior Computer Science student at the University of Nevada Las Vegas. I became interested in reverse engineering and malware analysis during my sophomore year through CTF competitions and ended up interning with the FLARE team a year later.

How did you learn about GSoC and about FLARE?

I learned about the FLARE team through CTF competitions as well as through Mandiant's reputation in the information security industry. GSoC was a new addition after Mandiant's acquisition and was introduced to me by word-of-mouth from the FLARE team. 

What motivated you to apply to your selected project?

My motivation to apply to the project to integrate capa and Ghidra was knowing that it would enable more reverse engineers to analyze malware in an extremely efficient manner. I also wanted to learn more about capa’s design and sharpen my programming skills along the way.

What were some challenges that you had to overcome?

Some of the biggest challenges involved learning the Ghidra scripting API thoroughly enough to create a production-ready product within the allocated GSoC period as well as integrate the relatively new project, Ghidrathon, as a core aspect of its design.  

What did you learn from this experience?

I obtained a much deeper understanding of the Ghidra framework and capa. In doing so, I was able to learn how to make better choices when it came to programmatically handling large amounts of binary data and processing it in a meaningful way. A new skill that was picked up from my experience is the automation of testing code and how to set up CI workflows. 

What advice do you have for future GSoC contributors?

Stay open-minded and willing to learn all about the project you have chosen. Engage with the community and your fellow contributors, and don't be afraid to ask any and all questions, especially to the mentors. As a final tip, when creating your proposed timeline for the planned deliverables, design it in a way that allows for flexibility and buffer room as unexpected events and other obligations are more than likely to affect your progress.

Yacine Elhamer

My name is Yacine Elhamer. I have a Bachelor's degree in Computer Science from USTHB Algiers, and I am currently doing a Master's in Cybersecurity at the University of Turku in Finland. I am passionate primarily about malware analysis, security research, and software development.

How did you learn about GSoC and about FLARE?

I first learned about GSoC from my older brother who participated in it years ago by means of the Pharo programming language, and also through a friend who worked on Rapid7's Metasploit project last year. As for FLARE, I have already been familiar with them from the FLARE-On annual CTF competition, as well many of their tools which I have been actively using such as FLARE-VM.

What motivated you to apply to your selected project?

Coming into this year's GSoC application period, I was mainly looking for a cybersecurity-related project since that is the area I am most passionate about. I was also intending to prioritize projects which use Python and/or C since those are my two favorite languages to work with. Luckily enough, I found that FLARE was doing GSoC this year, and that they were offering innovative projects for their malware analysis tools.

What were some challenges that you had to overcome?

Some of the main challenges were mainly due to capa’s popularity making its code refactoring more complicated. We had to make sure not to morph the tool too much so that it would render existing capa rules and scripts useless. All while ensuring maximal use of all the new features that dynamic analysis could bring to capa.

What did you learn from this experience?

I learned several valuable skills from my summer with FLARE. Namely, technical ones such as software design, malware analysis concepts, use of several Python libraries (pytest, pydantic, etc.), and the practical experience of working in parallel with a team on a project using Git. I also improved my communication skills and organizational skills such as time management and task prioritization.

What advice do you have for future GSoC contributors?

I highly encourage contributors to utilize the community bonding period, since it is an excellent way to get to know what working with an organization and your mentors is like ahead of the project start.

Additional Contributors

The FLARE team wants to thank the additional contributors who noticed and supported our projects through GSoC. It’s been a rewarding experience collaborating with so many motivated people interested in open source and security projects. Among the dozens of contributors we would like to especially thank Aayush Goel and Deeya Singh.

Aayush provided numerous new features, code improvements, and bug fixes, landing 13 merged pull requests for capa. These included a script to highlight features which are unused during matching and adding feature support for COM classes and interfaces.

Deeya is currently working on a website that describes capa and exposes the default rule set – the related tasks are tracked on GitHub.

Conclusion

We hope that you enjoyed getting to know and learning about the experiences of our 2023 GSoC contributors. Each contributor collaborated with their FLARE mentors to write a blog post that covers their project in greater detail. Keep an eye out as we release these posts in the upcoming weeks.

Posted in