evilcry

Advanced Signature Writing via FuzzyHashing

Rating: 2 votes, 1.50 average.
Hi there,

In this period I'm heavy working on Signature Generation for big malware families, this mean that there is a large amount of binaries to be checked for Static Patterns recurrences, you should understand that this work can't be done by hand on families of 400+k number of samples, and hashing would not help, this because Hash Algorithms respects the Avalanche Effect via its most famous generalization the SAC ( Strict Avalanche Criterion ), this mean that, this property it is satisfied if, whenever a single input bit is complemented, each of the output bits changes with a probability of one half.

In other words a minimum little change will deeply change the hash result and we can't come back to similarities, so we need a technology that does not respect the SAC, also in this case the wonderful cryptography help us

We have the CTPH that mean Context Triggered Piecewise Hashes, called also Fuzzy Hashes, this will help us to match inputs that have homologies like sequences of identical bytes in the same order.

Here an interesting paper about CTPH Identifying almost identical files using context triggered piecewise hashing

http://dfrws.org/2006/proceedings/12-Kornblum.pdf

and here an open source implementation of fuzzyhashing called DeepToad

http://code.google.com/p/deeptoad/

Regards,
Giuseppe 'Evilcry' Bonfa

Submit "Advanced Signature Writing via FuzzyHashing" to Digg Submit "Advanced Signature Writing via FuzzyHashing" to del.icio.us Submit "Advanced Signature Writing via FuzzyHashing" to StumbleUpon Submit "Advanced Signature Writing via FuzzyHashing" to Google

Comments