Skip navigation.
Home

Automatic Signature Generation

Unfortunately, the utility of the UI was perhaps not worth the development effort. Fortunately, the trainings I've attended at Blackhat have given me a good idea of how to use other UI's and get access to a `better' disassembler than objdump in IDA Pro.

Instead of the UI, I've shifted development focus to the automatic signature generation, an attempt to use the binBLAST technique to identify unique code sequences compared to some universal set of code. Initial development of this is showing great promise but is far from submission quality. I'm making changes to my DefCon talk to reflect this new progress/development.

I know valsmith has already posted this, but don't miss all of the Offensive Computing and Metasploit presentations this week in Vegas!

Auto Signatures...

I'd like to hear more on this. I've been remiss in my signature generation for OC, but now that I'm all defconed up - I'm back in the saddle again.

Are you talking about detecting unique sequences fo rdetecting malware in transit , or like snippets of code that set up things like phone homes and so on once the malware has been set up?

-- D

" Fuck the fucking fuckers before they fuck you "
- The Rogue Warrior

AV signatures

hes talking about AV style signatures, although i suppose matching opcode sequences migth be useful for snort as well.

btw your talk was teh awesome hlywood

V.

Signature generation

The short answer to your question is just for AV-type detection and yes it can do sub-sample matching (this section of code looks like the phone-home client of Malware XXX)

But, because the technique looks at streams of binary information, it's use is not limited to static analysis of well-formed, valid executables. It could potentially be used on network traffic, analysis of ICE monitors, basically analysis of raw binary code. The hard part here is in identifying valid binary code (If you dd some data from /dev/random and run it through an x86 disassembler, you will most likely get disassembly. At one point in my thesis I disassembled all binary sections (including .data) and saw all sorts of demons including 64-bit code in a 32-bit distribution, etc.)

Automatic Pattern (signature) geberation

Hi hllywood:
I am very much interested in knowing the current status of your proposed tool on automatic signature tool. I am also thinking on to work on the similar tool. But I m interested in applying some DM techiques, like Apriori Algo, or frequent episod learning etc. I tried to get some information on BinBlast on the Net, but I had been unlucky. I will apreciate if you can share some information on your project and this BinBlast technique.

thanks
-Sanjay

Things have been busy

I must sincerely apologize. Since DefCon, I've been in the process of moving and my free time to write code and get my personal file servers back in order has been nil.

The release of code is also delayed because the generation of AV signatures was not something my older codebase could support. Yes, I was/am able to automatically generate signatures but the code is hideous and breaks easily.

I'd like to get together a 3-5 page short paper on where I'm at. To maximize its utility, what would you like to see? A talk of the implementation? The mathematical background of how it was created? A wish list of where I'm going with this development?

Thank you much for your interest!

Talking about wishilist...

Talking about wishlists... any chance of getting a win32 port?

Regards.

Automatic signature generation

HI:
I am writing to you after a long time. I was busy in relocating myself. So, I would like to know about your proposal on automatic signature generation. Basically, I am more interested in mathematical background and may be, later I request some implementation details :)
If you have made progress, please do send me some article on that.
thanking you very much
-Sanjay