Microsoft’s RIFT: Open-Source Tool for Rust Malware Analysis
▼ Summary
– Microsoft released RIFT, a tool to help analysts detect malicious code in Rust binaries, which are harder to analyze due to Rust’s complexity and memory safety features.
– Rust binaries are larger and contain more functions than equivalent C++ programs, making it difficult to distinguish between library code and malicious logic.
– RIFT consists of three components: a Static Analyzer (IDA Pro plugin), a Generator (Python script), and a Diff Applier (IDA Pro plugin), which work together to simplify malware analysis.
– The tool uses FLIRT signatures for fast, accurate library code matching and binary diffing for detecting modified functions, though diffing is slower and more resource-intensive.
– Microsoft tested RIFT on real-world malware like RALord ransomware and SPICA backdoor, successfully identifying library code and isolating malicious logic for analysis.
Microsoft has unveiled a powerful new open-source tool called RIFT designed to help security professionals analyze malware written in Rust. The programming language’s growing popularity among developers for its performance and safety features has unfortunately made it equally attractive to cybercriminals. RIFT tackles the unique challenges posed by Rust-based threats through advanced static analysis techniques.
Security teams face significant hurdles when examining Rust malware due to how the language compiles code. Unlike traditional binaries, Rust executables bundle all dependencies directly into the file, creating massive binaries packed with thousands of functions. Microsoft demonstrated this stark difference by comparing two identical programs – one written in C++ produced a 20KB file with under 100 functions, while the Rust version ballooned to 3MB containing nearly 10,000 functions.
The RIFT toolkit operates through three integrated components working together seamlessly. First, a static analyzer plugin for IDA Pro extracts critical metadata like compiler versions and dependencies, storing this information in JSON format. Next, a Python-based generator automatically fetches matching compiler toolchains and libraries to create specialized FLIRT signatures while performing binary diffing operations. Finally, another IDA plugin applies these analysis results directly within the disassembler, allowing investigators to quickly distinguish between library code and malicious logic.
Two sophisticated pattern-matching approaches power RIFT’s detection capabilities. FLIRT signatures provide rapid identification of unmodified library functions with exceptional accuracy, while binary diffing handles cases where code has been slightly altered. The system first applies the faster FLIRT method before running the more thorough diffing process, which can take hours but catches what the initial pass might miss. Analysts then review the automatically labeled results within their familiar IDA Pro environment.
Microsoft’s security team validated RIFT’s effectiveness against real-world threats including the RALord ransomware and SPICA backdoor. In both cases, the tool successfully identified compiler details, generated appropriate signatures, and accurately flagged malicious portions of code while filtering out library functions. This dramatically reduced the manual effort required for analysis.
Available on GitHub as a free resource, RIFT represents a significant advancement in malware analysis tooling specifically designed for the Rust ecosystem. Security professionals can now more efficiently investigate sophisticated threats leveraging this increasingly prevalent programming language. The tool’s modular design and integration with industry-standard disassemblers make it practical for immediate adoption in security operations.
(Source: HELPNETSECURITY)
