Re: OffensiveComputing

[val smith <mvalsmith () gmail com>]

Cool ideas, I really like the sandbox idea since I end up doing stuff l ike
that durning analysis anyway. My hope is that the security community will
bring active analysis participation to the site so eventually the
information  in each entry grows and the identification methods  get more
accurate.

On a side note, apparently CERT has already issued a complaint to my ISP to
have me taken down. I'll have to look into that one.

V.



On 12/10/05, Dave Aitel <dave () immunitysec com> wrote:
> Looks great. I've always wondered at the use of md5 for file
> determination of malware. Seems like it's time for something a bit more
> of a curved function than that. You want to determine not only file
> identity, but file closeness. Personally I'd probably unpack them, then
> design a vector of <EXPORTS><IMPORTS><STRING CONSTANTS><Graph of Program
> simplified and flattened> and then I'd just do vector differences from
> each other. Another option is to run them in a sandbox, and just record
> their use of API's as a vector.
>
> You can probably devolve each API call into a tuple and use that as a
> direction in an N-dimensional space and do some simple pattern matching
> as your HIDS as well. That way your HIDS would not only recognize one
> trojan, but all programs that were similar to the trojans you've
> "signatured".
>
> Just some ideas. It's great to see a public collection of this stuff
> finally, because research is very hard to do without it.
>
> -dave