Dailydave mailing list archives
Re: OffensiveComputing
From: Dave Aitel <dave () immunitysec com>
Date: Sat, 10 Dec 2005 10:07:30 -0500
Looks great. I've always wondered at the use of md5 for file determination of malware. Seems like it's time for something a bit more of a curved function than that. You want to determine not only file identity, but file closeness. Personally I'd probably unpack them, then design a vector of <EXPORTS><IMPORTS><STRING CONSTANTS><Graph of Program simplified and flattened> and then I'd just do vector differences from each other. Another option is to run them in a sandbox, and just record their use of API's as a vector.
You can probably devolve each API call into a tuple and use that as a direction in an N-dimensional space and do some simple pattern matching as your HIDS as well. That way your HIDS would not only recognize one trojan, but all programs that were similar to the trojans you've "signatured".
Just some ideas. It's great to see a public collection of this stuff finally, because research is very hard to do without it.
-dave val smith wrote:
Hi there,I know some of the people on this list and i've lurked here for a long time so I thought there might be some interest in a project i've been working on for a little while.http://www.offensivecomputing.net
I've got some malware collection stuff to help add to the database and I have a small collection built up over the years that I am slowly adding.I've started it off with some copies of common stuff like welchia, sobig, the sony drm thing, etc. and some minimal analysis stuff.I'm open to any suggestions/contributions or even "this isn't a good idea because . . ."thanks! V.
Current thread:
- OffensiveComputing val smith (Dec 09)
- Re: OffensiveComputing Dan Moniz (Dec 09)
- Re: OffensiveComputing Dave Aitel (Dec 10)
- Re: OffensiveComputing val smith (Dec 10)
- Re: OffensiveComputing Thorsten Holz (Dec 11)
- Exploit development weirdness RaMatkal (Dec 27)
- Re: Exploit development weirdness Dave Aitel (Dec 27)
- Message not available
- Fwd: OffensiveComputing val smith (Dec 10)
- Message not available
- Re: OffensiveComputing val smith (Dec 10)
- <Possible follow-ups>
- Re: OffensiveComputing Jeffrey Denton (Dec 10)
- Re: OffensiveComputing val smith (Dec 10)
- Message not available
- Re: OffensiveComputing val smith (Dec 10)
- Re: OffensiveComputing val smith (Dec 10)