By Will Casey
Senior Researcher
CERT
Through our work in cyber security, we have amassed millions of pieces of malicious software in a large malware database called the CERT Artifact Catalog.
Analyzing this code manually for potential similarities and to identify
malware provenance is a painstaking process. This blog post follows up
our earlier post to explore how to create effective and efficient tools
that analysis can use to identify malware.
By Douglas C. Schmidt
Chief Technology Officer
A key mission of the SEI is to advance the practice of software engineering and cyber security through research and technology transition
to ensure the development and operation of software-reliant Department
of Defense (DoD) systems with predictable and improved quality,
schedule, and cost. To achieve this mission, the SEI conducts research
and development (R&D) activities involving the DoD, federal
agencies, industry, and academia. One of my initial blog postings
summarized the new and upcoming R&D activities
we had planned for 2011. Now that the year is nearly over, this blog
posting presents some of the many R&D accomplishments we completed
in 2011.
By David French,
CERT Senior Researcher
Malware,
which is short for “malicious software,” is a growing problem for
government and commercial organizations since it disrupts or denies
important operations, gathers private information without consent, gains
unauthorized access to system resources, and other inappropriate
behaviors. A previous blog post
described the use of “fuzzy hashing” to determine whether two files
suspected of being malware are similar, which helps analysts potentially
save time by identifying opportunities to leverage previous analysis of
malware when confronted with a new attack. This posting continues our
coverage of fuzzy hashing by discussing types of malware against which
similarity measures of any kind (including fuzzy hashing) may be
applied.
By Sagar Chaki, Senior Member of the Technical Staff
Research, Technology, and System Solutions 
Malware,
which is short for “malicious software,” consists of programming aimed
at disrupting or denying operation, gathering private information
without consent, gaining unauthorized access to system resources, and
other inappropriate behavior. Malware infestation is of increasing
concern to government and commercial organizations. For example,
according to the Global Threat Report from
Cisco Security Intelligence Operations, there were 287,298 “unique
malware encounters” in June 2011, double the number of incidents that
occurred in March. To help mitigate the threat of malware, researchers
at the SEI are investigating the origin of executable software binaries
that often take the form of malware. This posting augments a previous posting
describing our research on using classification (a form of machine
learning) to detect “provenance similarities” in binaries, which means
that they have been compiled from similar source code (e.g., differing
by only minor revisions) and with similar compilers (e.g., different
versions of Microsoft Visual C++ or different levels of optimization).
By David French,
CERT Senior Researcher
Malware—generically defined as software designed to access a
computer system without the owner’s informed consent—is a growing
problem for government and commercial organizations. In recent years,
research into malware focused on similarity metrics to decide whether
two suspected malicious files are similar to one another. Analysts use
these metrics to determine whether a suspected malicious file bears any
resemblance to already verified malicious files. Using these metrics
allows analysts to potentially save time, by identifying opportunities
to leverage previous analysis. This post will describe our efforts to
develop a technique (known as fuzzy hashing) to help analysts determine
whether two pieces of suspected malware are similar.
Recent Comments