Entries by 'David French'

Writing Effective YARA Signatures to Identify Malware

CERT , Malware 3 Comments »

By David French
Senior Malware Researcher
CERT

David FrenchIn previous blog posts, I have written about applying similarity measures to malicious code to identify related files and reduce analysis expense. Another way to observe similarity in malicious code is to leverage analyst insights by identifying files that possess some property in common with a particular file of interest. One way to do this is by using YARA, an open-source project that helps researchers identify and classify malware. YARA has gained enormous popularity in recent years as a way for malware researchers and network defenders to communicate their knowledge about malicious files, from identifiers for specific families to signatures capturing common tools, techniques, and procedures (TTPs). This blog post provides guidelines for using YARA effectively, focusing on selection of objective criteria derived from malware, the type of criteria most useful in identifying related malware (including strings, resources, and functions), and guidelines for creating YARA signatures using these criteria.

Read more...

Fuzzy Hashing Against Different Types of Malware

CERT , Fuzzy Hashing , Malware No Comments »

By David French,
CERT Senior Researcher

David FrenchMalware, which is short for “malicious software,” is a growing problem for government and commercial organizations since it disrupts or denies important operations, gathers private information without consent, gains unauthorized access to system resources, and other inappropriate behaviors. A previous blog post described the use of  “fuzzy hashing” to determine whether two files suspected of being malware are similar, which helps analysts potentially save time by identifying opportunities to leverage previous analysis of malware when confronted with a new attack.  This posting continues our coverage of fuzzy hashing by discussing types of malware against which similarity measures of any kind (including fuzzy hashing) may be applied.

Read more...

Fuzzy Hashing Techniques in Applied Malware Analysis

CERT , Fuzzy Hashing , Malware 3 Comments »

By David French,
CERT Senior Researcher

David French Malware—generically defined as software designed to access a computer system without the owner’s informed consent—is a growing problem for government and commercial organizations.  In recent years, research into malware focused on similarity metrics to decide whether two suspected malicious files are similar to one another. Analysts use these metrics to determine whether a suspected malicious file bears any resemblance to already verified malicious files. Using these metrics allows analysts to potentially save time, by identifying opportunities to leverage previous analysis. This post will describe our efforts to develop a technique (known as fuzzy hashing) to help analysts determine whether two pieces of suspected malware are similar.

Read more...