Friday, May 19, 2006

For those that are into malware classification, here's some code that one
can include in a piece of malware to skew the Levenshtein distance described
in the recently published MS paper.

int j, i = random_integer_in_range(0, 50000);
FILE *f;
for( j = 0; j < i; j++ ){
f = fopen("c:\\test.txt", "rt");
flose(f);
}

1 comment:

Ryan Russell said...

Ultimately, I think you need both behavior and code classification. There's some danger in saying that "this is just another copy of malware.yyz", when in fact it is, but now has a working download link, and that's all that has changed. I won't argue that it still isn't "malware.yyz" and not "malware.yza", depending. But some simple change that doesn't change the "code" can still make a huge difference in how you have to treat it.