Canada's Communications Security Establishment has open-sourced its own malware detection tool.
The Communications Security Establishment (CSE) is a signals intelligence agency roughly equivalent to the United Kingdom's GCHQ, the USA's NSA and Australia's Signals Directorate. It has both intelligence-gathering and advisory roles.
It also has a tool called “Assemblyline” which it describes as a “scalable distributed file analysis framework” that can “detect and analyse malicious files as they are received.”
The agency explains the tool with the example of a financial officer who “... receives an email from an outside sender that includes a password-protected .zip file that contains a spreadsheet and a Word document with text for an annual report.” Said officer later “forwards that email to three colleagues within the department and attaches a .jpeg image of a potential cover for the report.”
“Assemblyline will start by examining the initial email. It automatically recognizes the various file formats (email, .zip file, spreadsheet, Word document) and triggers the analysis of each file.” That analysis gives the file a score and “Scores over a certain threshold trigger alerts, at which point a security analyst may manually examine the file.”
The tool is also smart enough that it “recognizes the duplication of files and focuses on new content that may be part of the email, such as the .jpeg image.”
It's possible to customise Assemblyline with what the CSE calls “services” that perform whatever analysis you fancy.
The tool was written in Python and can run on a single PC or in a cluster. CSE claims it can process millions of files a day. “Assemblyline was built using public domain and open-source software; however the majority of the code was developed by CSE.” Nothing in it is commercial technology and the CSE says it is “easily integrated in to existing cyber defence technologies.”
The tool's been released under the MIT licence and is available here.
The organisation says it released the code because its job is to improve Canadian's security, and it's confident Assemblyline will help. The CSE's head of IT security Scott Jones has also told the Canadian Broadcasting Corporation that the release has a secondary goal of demystifying the organisation. ®