Speaker(s): Jonas Zaddach, Cisco
While research on automated malware clustering is plentiful, the exercise of
finding usable signatures for detection is left to the reader. Solutions
proposed by academia have come and gone, none of them giving us a system for
generating malware signatures which is open and available for tinkering.
In this work, we took bits and pieces from several projects to put together
BASS, the BASS Automated Signature Synthesizer. Components are encapsulated in
containers, allowing for the maintainability and scalability required for
large-scale signature generation. In a nutshell, the system finds code
similarities between samples of a malware cluster using binary diffing
techniques on the code flow level. To this end, state-of-the-art binary diffing
tools such as Bindiff and Kam1n0 as well as IDA Pro are used.
From common byte sequences in the identified malicious code, the system
generates signatures for the open-source virus scanner ClamAV. BASS is a
necessary framework for the modern AV industry that is overwhelmed by millions
of samples per day and needs quick and precise coverage for emerging threats as
well as polymorphic malware families.