Site icon Panda Security Mediacenter

Automatic classification of malware

Last year we posted an article
about
graphic
representations of malware
, in which we commented that it's possible
to
automatically
identify and classify malware into a family based
on
their
graphical structure
representation. This representation is based on the relationship between
function calls in the executable.

These relationships create a graph of the internal structure of the
executable.
These graphs are very similar among samples of the same
family or among samples w
hich share the same
source code. There are several publications about this technique
(Ero Carrera &
Gergely Erdély [VB2004])
and all of us have heard about Sabre
Security
VxClass
Project
, which is a system to automatically unpack and classify a binary into
a family.

PandaLabs is 'two or three steps ahead' too and we
have developed our own system to automatically identify and classify the samples
we receive
daily. Of course, this system
works with unpacked samples, that's why we use it with our
generic unpacker engine. We have made a flash video [14 MB] (to show
you how this system works. Basically the steps are:

This data will be used to compare the
sample
with our entire graph database (Actually, we have already analyzed and stored in the graph database 185.000 samples).

Exit mobile version