PDA

View Full Version : Advanced Signature Writing via FuzzyHashing

evilcry
January 13th, 2010, 04:20
Hi there,

In this period I'm heavy working on Signature Generation for big malware families, this mean that there is a large amount of binaries to be checked for Static Patterns recurrences, you should understand that this work can't be done by hand on families of 400+k number of samples, and hashing would not help, this because Hash Algorithms respects the Avalanche Effect via its most famous generalization the SAC ( Strict Avalanche Criterion ), this mean that, this property it is satisfied if, whenever a single input bit is complemented, each of the output bits changes with a probability of one half.

In other words a minimum little change will deeply change the hash result and we can't come back to similarities, so we need a technology that does not respect the SAC, also in this case the wonderful cryptography help us

We have the CTPH that mean Context Triggered Piecewise Hashes, called also Fuzzy Hashes, this will help us to match inputs that have homologies like sequences of identical bytes in the same order.

Here an interesting paper about CTPH Identifying almost identical files using context triggered piecewise hashing

http://dfrws.org/2006/proceedings/12-Kornblum.pdf

and here an open source implementation of fuzzyhashing called DeepToad

Regards,
Giuseppe 'Evilcry' Bonfa

cEnginEEr
January 14th, 2010, 02:06
hmmm, sounds nice and let us know about the results

I don't know about other AV engines, but the method KAV uses for malware detection is like this:

Code:
```

// Ofs is a static point in malware body

// first check
if (Malware[cs1Ofs] == XXXX /*2 bytes*/) {

// second check
if  (Check_Sum(&Malware[cs1Ofs], cs1Len) == cs1) {

// third check
if  (Check_Sum(&Malware[cs2Ofs], cs2Len) == cs2) {

malware found
}
}
}
```

sometimes, in the case of more complicated malwares, it calls a special stub to do more checking stuff;

btw, I'm curious to know what malware family you're working on; is it TDSS?

evilcry
January 14th, 2010, 02:59
Thanks

Other AVs in this phase works in the same way, you have two Patterns that have to match

The family is a big one, koobface infector, I'll publish some stats if NDA allows me