Dailydave mailing list archives
Re: OffensiveComputing
From: val smith <mvalsmith () gmail com>
Date: Sat, 10 Dec 2005 11:35:56 -0700
Cool ideas, I really like the sandbox idea since I end up doing stuff l ike that durning analysis anyway. My hope is that the security community will bring active analysis participation to the site so eventually the information in each entry grows and the identification methods get more accurate. On a side note, apparently CERT has already issued a complaint to my ISP to have me taken down. I'll have to look into that one. V. On 12/10/05, Dave Aitel <dave () immunitysec com> wrote:
Looks great. I've always wondered at the use of md5 for file determination of malware. Seems like it's time for something a bit more of a curved function than that. You want to determine not only file identity, but file closeness. Personally I'd probably unpack them, then design a vector of <EXPORTS><IMPORTS><STRING CONSTANTS><Graph of Program simplified and flattened> and then I'd just do vector differences from each other. Another option is to run them in a sandbox, and just record their use of API's as a vector. You can probably devolve each API call into a tuple and use that as a direction in an N-dimensional space and do some simple pattern matching as your HIDS as well. That way your HIDS would not only recognize one trojan, but all programs that were similar to the trojans you've "signatured". Just some ideas. It's great to see a public collection of this stuff finally, because research is very hard to do without it. -dave
Current thread:
- OffensiveComputing val smith (Dec 09)
- Re: OffensiveComputing Dan Moniz (Dec 09)
- Re: OffensiveComputing Dave Aitel (Dec 10)
- Re: OffensiveComputing val smith (Dec 10)
- Re: OffensiveComputing Thorsten Holz (Dec 11)
- Exploit development weirdness RaMatkal (Dec 27)
- Re: Exploit development weirdness Dave Aitel (Dec 27)
- Message not available
- Fwd: OffensiveComputing val smith (Dec 10)
- Message not available
- Re: OffensiveComputing val smith (Dec 10)
- <Possible follow-ups>
- Re: OffensiveComputing Jeffrey Denton (Dec 10)
- Re: OffensiveComputing val smith (Dec 10)
- Message not available
- Re: OffensiveComputing val smith (Dec 10)
- Re: OffensiveComputing val smith (Dec 10)