Malfunction’s Functions : Automated Static Malware Analysis Using Function Level Signatures

DerbyCon V - Unity

Presented by: Jeramy Lochner, Matthew Rogers
Date: Friday September 25, 2015
Time: 16:00 - 16:25
Location: Track 5
Track: Stable Talks

Standard antivirus is frequently and easily bypassed by malware custom-written for an attack. Fortunately, malware authors are surpassed in laziness only by college students confronted with homework. Code re-use by Advanced Persistent Threats (APTs) gives us a chance to detect and identify never-before-seen malware. This talk is a summary of an experimental malware detection and analysis method developed by interns at Dynetics, Inc. Their solution differs from traditional methods in that malware signatures are unique to an assembly-language function, not a file, and that the signature generation uses context-triggered piecewise hashing (fuzzy hashing) instead of traditional absolute hashing algorithms such as MD5. The team created software called Malfunction that implements these methods. Preliminary tests indicate that it is capable of identifying the author of a malware sample by comparing it to known malware from that author, showing promise as both a detection tool as well as a forensics toolkit. While similar tools have been made before, none have done so on function basis while providing a percentage chance of a file being malicious.

Matthew Rogers

Jeramy Lochner


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats