When it comes to spotting malware, signature-based detection, heuristics and cloud-based recognition and information sharing used by many antivirus solutions today work well up a certain point, but the polymorphic malware still gives them a run for their money.
At the annual AusCert conference held this week in Australia a doctorate candidate from Deakin University in Melbourne has presented the result of his research and work that just might be the solution to this problem.
Security researcher Silvio Cesare had noticed that malware code consists of small “structures” that remain the same even after moderate changes to its code.
“Using structures, you can detect approximate matches of malware, and it’s possible to pick an entire family of malware pretty easily with just one structure,” he shared with CSO Australia.
So he created Simseer, a free online service that performs automated analysis on submitted malware samples and tells and shows you just how similar they are to other submitted specimens. It scores the similarity between malware (any kind of software, really), and it charts the results and visualizes program relationships as an evolutionary tree.
If a sample has less then 98 percent similarity with an existing malware strain, the sample gets catalogued as a completely new strain.
According to the website, Simseer detects malware’s control flow, which changes much less than string signatures or similar features, and polymorphic and metamorphic malware variant usually share the same control flow.
It runs on an Amazon EC2 cluster with a dozen or so virtual servers, and is “fed” by Cesare every night with gigabytes of malware code downloaded from other free sources such as VirusShare.
So far, Simseer has identified more than 50,000 strains of malware, and the number keeps growing. Cesare is still working on perfecting the service, and hopes it helps malware analysts with their research. For now, its use is free of charge to anyone.
It’s interesting to note that the service is capable of more than just detecting and cataloguing malware samples. As said before, it works on any kind of software, and can be used for plagiarism and software theft detection, as well as incident response.