A Static, Packer-Agnostic Filter to Detect Similar Malware Samples

Jacob, Grégoire; Comparetti, Paolo Milani; Neugschwandtner, Matthias; Kruegel, Christopher; Vigna, Giovanni

doi:10.1007/978-3-642-37300-8_6

Cited by 47 publications

(41 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Clustering and classification of the results of static analysis of files has been previously proposed for prefiltering for in-depth file analysis [18], [26], [34]. Our work differs in that we classify telemetry reports for files with analyzed on remote computers.…”

Section: Related Workmentioning

confidence: 97%

“…Recently, several systems have been proposed for prefiltering (i.e. ranking) samples for in-depth analysis [18], [26], [34], but these systems require a sample of the file for classification and clustering on the results of static analysis. In our system, the AM client can perform both static and dynamic analysis of the file on the remote computer, and we use this telemetry information for prefiltering.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Scalable Telemetry Classification for Automated Malware Detection

Stokes

Platt

Wang

et al. 2012

Computer Security – ESORICS 2012

View full text Add to dashboard Cite

Abstract. Industry reports and blogs have estimated the amount of malware based on known malicious files. This paper extends this analysis to the amount of unknown malware. The study is based on 26.7 million files referenced in telemetry reports from 50 million computers running commercial anti-malware (AM) products. To estimate the undetected malware, a classifier predicts the underlying nature of unknown files recorded in the telemetry reports. The telemetry classifier predicts that 69.6% (4.27 million) of the unknown files are malicious. Assuming the unknown files predicted to be malicious by the classifier are malware, the telemetry classifier also allows us to estimate the efficacy of the AM system indicating that signatures detected 82.8% (20.6 million) of the malicious files. We have validated our system by conducting a longitudinal study to measure the false positive and false negative rates over a period of thirteen months.

show abstract

Section: Related Workmentioning

confidence: 97%

Section: Introductionmentioning

confidence: 99%

Scalable Telemetry Classification for Automated Malware Detection

Stokes

Platt

Wang

et al. 2012

Computer Security – ESORICS 2012

View full text Add to dashboard Cite

show abstract

“…We use a pragmatic approach to deal with packing: We let the executable unpack, de-obfuscate and run for at least 15 minutes and work on the memory snapshot. Defeating packing is not the focus of our work, and any of the more advanced unpacking techniques in the literature [15,25,34] can be used to augment our prototype.…”

Section: Limitations and Future Workmentioning

confidence: 99%

Jackdaw: Towards Automatic Reverse Engineering of Large Datasets of Binaries

Polino

Scorti

Maggi

et al. 2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

When analyzing an untrusted binary, reverse engineers usually rely on ad-hoc collections of interesting dynamic patterns-known as behaviors in the malware-analysis community-and static patterns-known as signatures in the antivirus community. Such patterns are often part of the skill set of the analyst, sometimes implemented in manually-created post-processing scripts. It would be desirable to be able to automatically find such behaviors, present them to analysts, and create a systematic catalog of matching rules and relevant implementations. We propose JACKDAW, a system that finds interesting dynamic patterns, and ranks them to unveil potentially interesting behaviors. Then, it annotates them with static information, capturing the distinct implementations of each across different malware families. Finally, JACKDAW associates semantic information to the behaviors, so as to create a descriptive summary that helps the analysts in querying the catalog of behaviors by type. To do this, it leverages the dynamic information and an indexed Web-based knowledge databases. We implement and demonstrate JACKDAW on the Win32 API (even if the technique can be generalized to any OS). On a dataset of 2,136 distinct binaries, including both malicious and benign libraries and executables, we compared the behaviors extracted automatically against a ground truth of 44 behaviors created manually by expert analysts. JACKDAW found 77.3% of them and was able to exclude spurious behaviors in 99.6% cases. We also discovered 466 novel behaviors, among which manual exploration and review by expert reverse engineers revealed interesting findings and confirmed the correctness of the semantic tagging.

show abstract

“…An example is the method by Jacob et al [11] that, similar to Kandi, exploits statistical artifacts preserved through packing in order to analyze malware. The method does not focus on deobfuscation but rather efficiently comparing malware binaries and determining variants of the same family without dynamic analysis.…”

Section: Related Workmentioning

confidence: 99%

Deobfuscating Embedded Malware Using Probable-Plaintext Attacks

Wressnegger

Boldewin²,

Rieck

2013

Research in Attacks, Intrusions, and Defenses

View full text Add to dashboard Cite

Abstract. Malware embedded in documents is regularly used as part of targeted attacks. To hinder a detection by anti-virus scanners, the embedded code is usually obfuscated, often with simple Vigenère ciphers based on XOR, ADD and additional ROL instructions. While for short keys these ciphers can be easily cracked, breaking obfuscations with longer keys requires manually reverse engineering the code or dynamically analyzing the documents in a sandbox. In this paper, we present Kandi, a method capable of efficiently decrypting embedded malware obfuscated using Vigenère ciphers. To this end, our method performs a probable-plaintext attack from classic cryptography using strings likely contained in malware binaries, such as header signatures, library names and code fragments. We demonstrate the efficacy of this approach in different experiments. In a controlled setting, Kandi breaks obfuscations using XOR, ADD and ROL instructions with keys up to 13 bytes in less than a second per file. On a collection of real-world malware in Word, Powerpoint and RTF files, Kandi is able to expose obfuscated malware from every fourth document without involved parsing.

show abstract

A Static, Packer-Agnostic Filter to Detect Similar Malware Samples

Cited by 47 publications

References 15 publications

Scalable Telemetry Classification for Automated Malware Detection

Scalable Telemetry Classification for Automated Malware Detection

Jackdaw: Towards Automatic Reverse Engineering of Large Datasets of Binaries

Deobfuscating Embedded Malware Using Probable-Plaintext Attacks

Contact Info

Product

Resources

About