Dailydave: Re: OffensiveComputing

[Dave Aitel <dave () immunitysec com>]

Looks great. I've always wondered at the use of md5 for file 
determination of malware. Seems like it's time for something a bit more 
of a curved function than that. You want to determine not only file 
identity, but file closeness. Personally I'd probably unpack them, then 
design a vector of <EXPORTS><IMPORTS><STRING CONSTANTS><Graph of Program 
simplified and flattened> and then I'd just do vector differences from 
each other. Another option is to run them in a sandbox, and just record 
their use of API's as a vector.
You can probably devolve each API call into a tuple and use that as a 
direction in an N-dimensional space and do some simple pattern matching 
as your HIDS as well. That way your HIDS would not only recognize one 
trojan, but all programs that were similar to the trojans you've 
"signatured".
Just some ideas. It's great to see a public collection of this stuff 
finally, because research is very hard to do without it.
-dave


val smith wrote:
> Hi there,
>
> I know some of the people on this list and i've lurked here for a long 
> time so I thought there might be some interest in a project i've been 
> working on for a little while.
> http://www.offensivecomputing.net

> I've got some malware collection stuff to help add to the database and 
> I have a small collection built up over the years that I am slowly adding.
> I've started it off with some copies of common stuff like welchia, 
> sobig, the sony drm thing, etc. and some minimal analysis stuff.
> I'm open to any suggestions/contributions or even "this isn't a good 
> idea because . . ."
> thanks!
>
> V.