Crowdstrike conducted malware gain of function

A cybersecurity company purporting to protect its customers against malware must have a database of known malware. It is one of the company’s most important assets. When CrowdStrike was founded in 2012, it lacked a database of its own. Its main asset was Shawn Henry, hired from the position of Executive Assistant to the FBI Director. Instead of creating or renting malware signatures from another vendor, CrowdStrike deployed a tool called CrowdRE, short for Crowd Reverse Engineering. This was a malware repository with a reverse engineering tool. Officially, it was intended for security researchers to analyze malware. However, it also allowed malware authors worldwide to benefit from public reverse engineering and borrow modules from this repository for their own malware. Anyone with a Google account was welcome to join CrowdRE.

Many legitimate security researchers have contributed their malware samples. That allowed CrowdStrike to acquire many malware signatures. CrowdRE also had the effect of proliferating malware, known to Crowdstrike. Despite this, CrowdStrike‘s database was small compared to its competitors, leading the company to specialize in baseless attribution. Initially, CrowdStrike was likely more an aid to malware developers than a defender against them. CrowdStrike was aware that malware authors often borrow code from each other, even without the original author’s knowledge, and that their attribution model was incorrect.

See CrowdStrike Streamlines Malware Reverse Engineering With CrowdRE (SecurityWeek), Crowdstrike blog post, CrowdRE tutorial video (archived page), and a CrowdRE slide show, all from 2012.

First published on X.