Last Updated: 2007-08-09 20:41:46 UTC
by Jim Clausing (Version: 3)
No, I don't have a witty title in a dead language, but as many of you are aware, I'm constantly on the lookout for useful tools, so I was intrigued when I came across an announcement yesterday that Mandiant had released a free tool aimed at incident handlers, called Red Curtain. The purpose of the tool is to highlight which files may be suspicious and require a closer look by investigators. The tool scores files based on some interesting characteristics including entropy (how random the file is, which may be an indication of encryption), indications of packing, specific signatures of compilers and packers, digital signatures, etc. It certainly isn't foolproof, but is aimed at narrowing the investigator's initial job and would correctly flag anything written by Tom "if Latin isn't your thing, next time I'll try Sanskrit (shouldn't that be the official language of SANS anyway)" Liston. It sounds like a decent idea. Has anyone out there tried it, yet? If so, let us know what you think.
Update: As several readers have pointed out. The MD5 and SHA1 hashes of the zip file don't match what is on the Mandiant page, but the MD5 and SHA1 of the .exe inside the zip does match. I've notified Mandiant, but not gotten a response yet.
Update 2: The Mandiant folks have responded that the software got repackaged messing up the MD5 and SHA1 of the zip file, the page will be corrected shortly