A blog about reverse engineering, mathematics, politricks and some more ...
Friday, May 19, 2006
For those that are into malware classification, here's some code that one can include in a piece of malware to skew the Levenshtein distance described in the recently published MS paper.
int j, i = random_integer_in_range(0, 50000); FILE *f; for( j = 0; j < i; j++ ){ f = fopen("c:\\test.txt", "rt"); flose(f); }
Ultimately, I think you need both behavior and code classification. There's some danger in saying that "this is just another copy of malware.yyz", when in fact it is, but now has a working download link, and that's all that has changed. I won't argue that it still isn't "malware.yyz" and not "malware.yza", depending. But some simple change that doesn't change the "code" can still make a huge difference in how you have to treat it.
Ultimately, I think you need both behavior and code classification. There's some danger in saying that "this is just another copy of malware.yyz", when in fact it is, but now has a working download link, and that's all that has changed. I won't argue that it still isn't "malware.yyz" and not "malware.yza", depending. But some simple change that doesn't change the "code" can still make a huge difference in how you have to treat it.
ReplyDelete