Some months ago we showed you a tool based on graphs in order to classify malware. Today we'll show you another tool that we are currently using in the lab to determine whether a file is malware or goodware. This tool is called VMatchBinary.
Basically, what we do is to identify similar byte blocks, obtaining a checksum for each one. This way, we obtain different checksums for every file, and we can compare the checksums of one file against all the checksums of all the files we have in our database.
Many checksums of small and representative file blocks guarantee good results in the similarity identification at a file level. But the best thing to understand how it works is to see it in action, so click on the picture below and enjoy it!