tag:blogger.com,1999:blog-14114712.post114633052071833331..comments2024-03-03T02:04:07.138-08:00Comments on ADD / XOR / ROL: halvar.flakehttp://www.blogger.com/profile/12486016980670992738noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-14114712.post-1147874024217338672006-05-17T06:53:00.000-07:002006-05-17T06:53:00.000-07:00Shocking as it might be, I think F-Secure does not...Shocking as it might be, I think F-Secure does not use any sort of automation in order to classify malware. (Same goes for probably most other AVs).<BR/><BR/>I'm now working together with Halvar and Rolf in Sabre Security so I feel I can comment of how this similarity measure compares with the one I developed in the 2004 VB paper ;) . There are some differences; mainly the usage of BinDiff in order to collect the similarity information (which is light-years ahead of my the mini-differ I had developed then) and some polished clustering algorithms. All together leads to much better results than the ones obtained in the paper.Erohttps://www.blogger.com/profile/12212132879580765574noreply@blogger.comtag:blogger.com,1999:blog-14114712.post-1146889487839856252006-05-05T21:24:00.000-07:002006-05-05T21:24:00.000-07:00Here is my take on "... IrcBot and GoBot-3 ... and...Here is my take on <I>"... IrcBot and GoBot-3 ... and ... Gobot.R and Downloader.Delf-35 ... why do we have such ... differing names ..."</I>.<BR/><BR/>I think it's because of generic names. Symantec detects some GoBot variants as W32.Gobot.A and other variants simply as <BR/>Backdoor.IRC.Bot (which is a generic name for a "yet to be analyzed IRC bot"). Downloader.Delf is common name for downloader trojans written in Delphi. Possibly some of these were automatically processed by an AV vendor and a generic name was chosen. Or the analyst had little time to determine family and went with a "safe" common name and ClamAV just copied that vendor's name.<BR/><BR/>Also, curious: which very cheap unpacking tool did you use? Feel free to email me.<BR/><BR/>NickNickhttps://www.blogger.com/profile/07412295456210583088noreply@blogger.comtag:blogger.com,1999:blog-14114712.post-1146664305204258592006-05-03T06:51:00.000-07:002006-05-03T06:51:00.000-07:00Very interesting analysis. Have you thought about...Very interesting analysis. Have you thought about incorporating release/discovery date information for each sample into the model? That might allow you to see how different families of malware evolved (temporal relationships) in addition to how closely they are related.Matt Schmidhttps://www.blogger.com/profile/14239647780824068226noreply@blogger.com