File-fraction reputation based on digest of high granularity

Ethan YX Chen Trend Micro

How to decide whether a file is benign or malicious has been a critical problem for the anti-malware industry for a long time. One recently popular approach is to build a large database to store the characteristics (e.g. download source, prevalence or age) and/or file analysis results related to file instances for later use. This kind of approach is categorized as reputation-based technology.

Reputation-based technology applies a statistics-based method to the characteristics to determine the reputation of a file. The characteristics being used (e.g. prevalence, URL) are usually different from content-based technology (e.g. a malware definition composed of sequences of bytes).

In this paper we propose a solution to combine the reputation-based and content-based solutions. It provides a different perspective on the efforts to fight against today's highly polymorphic, micro-distribution malware. The basic idea is to factorize the content into 'fractions' by a rolling hash, and then build the reputation information of those fractions. The content to be factorized can either be from raw files or memory dumps; for memory dumps it helps to detect packed malware and also benefits memory forensics. Malware files of the same family often share at least several identical fractions, especially fractions from the memory dump. Some fractions can also be identified to be part of some tool, whether benign/neutral (e.g. AutoIT), aggressive (e.g. remote control tool) or malicious (malware toolkits).

Several possible applications of file-fraction reputation will also be discussed.

 del.icio.us  digg this! digg this

Quick Links

Poll
Should software vendors extend support for their products on Windows XP beyond the end-of-life of the operating system?
Yes - it keeps their users secure
No - it encourages users to continue to use a less secure OS
I don't know
Leave a comment
View 23 comments

Jobs Recruit Sidebar

VB2014
VB2014 VB2014 will take place 24 - 26 September 2014 at the Westin Seattle hotel, Seattle, WA, USA.

Virus Bulletin currently has 231,303 registered users.