BSidesSF 2016

In this Session, we will introduce the audience to various techniques that are used in the identification and classification of polymorphic malware. By definition, polymorphic malware easily evades traditional signature based detection methods. Approximation Matching algorithms such as ssdeep have had much greater success in detecting polymorphic files. The ssdeep hash is one of the more popular attributes that is computed for a file by a number of sites such as VirusTotal, Malwr and Anubis. Newer algorithms using bloom filters have also shown great promise in detecting polymorphic malware. This session gives an overview of these various algorithms and compares their efficiency and performance.While ssdeep is a good tool for comparing two known files, it becomes computationally expensive when a new file (and its ssdeep hash) is to be compared with a large database of existing ssdeep hashes to determine the closest match. In this session, we enumerate a class of techniques which reduce the lookup time significantly and allow for fast detection of similar files. These techniques are then extended to the classification of polymorphic malware and we show the efficacy of these techniques with real data collected from the field. We then analyze the performance of these algorithms both from a speed as well as their success rate.