Daniel Plohmann daniel.plohmann@fkie.fraunhofer.de @push_pnx @malpedia

More documents

Recommendations

Info

Malpedia: Status Quo YaraRules.com vs. Malpedia • YaraRules.com • Probably the most comprehensive public body of YARA rules /home/analyst/repos/yara‐rules $ grep ^rule * ‐R | wc ‐l 12065 /home/analyst/repos/yara‐rules $ cd malware /home/analyst/repos/yara‐rules/malware $ grep ^rule * ‐R | wc ‐l 1611 /home/analyst/repos/yara‐rules/malware $ ls ‐l | wc ‐l 268 ^^^ =267 files ‐> families • The ideal YARA rules: • One rule matches one family only. (no false positives) • One rule matches all samples of this same family. (no false negatives) 50 © Cyber Analysis and Defense Department, Fraunhofer FKIE
Malpedia: Status Quo YaraRules.com vs. Malpedia Ideally, these or more would be hit 337 families 115 40 212 • YaraRules.com results: actually hit • 95 of 1,611 malware rules produce matches against 67 families of malpedia • For some families, multiple rules exist and hit (5x BlackShades RAT, 5x Codoso, 3x Turla, …) • 5 rules (6%) produce False Positives against 3 or more families • Conditions are chosen so wide that they allow one or more FP strings as a group to already fulfil the rule • Example: „data_inject“ (generic for many webinjects, matches a bunch of bankers) • Example: „mario“ AND „RFB 003.033“ AND „FIXME“ (matches basically every Zeus offspring) • 19 families (28%) were hit incompletely • On average they match only 29.58% of the samples present for the respective family. 51 © Cyber Analysis and Defense Department, Fraunhofer FKIE
Page 1 and 2: Daniel Plohmann daniel.plohmann@fki
Page 3 and 4: The Malware Knowledge Archipelago 3
Page 5 and 6: The Malware Knowledge Archipelago A
Page 15 and 16: Other Efforts to Systematize 15 ©
Page 17 and 18: The Malware Knowledge Archipelago O
Page 25 and 26: The Malware Knowledge Archipelago T
Page 27 and 28: Malpedia The central concept • Go
Page 29 and 30: Malpedia The Vision • Goals: •
Page 31 and 32: Malpedia: Status Quo Progress • D
Page 33 and 34: Malpedia: Status Quo Data acquistio
Page 35 and 36: Malpedia: Status Quo /home/analyst/
Page 37 and 38: Malpedia: Status Quo Web UI 37 © C
Page 39 and 40: Malpedia: Status Quo Web UI 39 © C
Page 41 and 42: Malpedia: Status Quo Web UI [1] htt
Page 47 and 48: What’s already possible Status Qu
Page 49: What’s already possible Status Qu
Page 53 and 54: What’s already possible Status Qu
Page 55 and 56: Malpedia: Status Quo file vs. Malpe
Page 57 and 58: Malpedia: Status Quo Disassembler v
Page 63 and 64: Roadmap Ingredients for Future Good
Page 65 and 66: Roadmap Gabby: A Malware Classifica
Page 67 and 68: Conclusion 67 © Cyber Analysis and
Page 69: Thank You for Your Attention! Danie

Daniel Plohmann daniel.plohmann@fkie.fraunhofer.de @push_pnx @malpedia

Create successful ePaper yourself

Delete template?

Save as template?