<\/p>\n\n\n\n
The code is used again to : <\/p>\n\n\n\n
- compile it again by another compiler<\/li>
- delete or add some features to it<\/li>
- update some libraries<\/li>
- change the distribution of the code inside of a file (thus, new linkers, packers, obfuscation are applied).<\/li>
- replace server IP addresses where data will be sent and downloaded.<\/li><\/ul>\n\n\n\n
The goal of these changes is to reshape malware, so it can stay unrecognizable for a while and infect more machines. Nevertheless, there are methods to detect this kind of repackaging and modifications.
<\/p>\n\n\n\nThese techniques are often used to analyze a big amount of data and find common elements there. Practical use cases of these methods can be found in the Threat Intelligence approach or ANY.RUN\u2019s Public Submission<\/a> section.<\/p>\n\n\n\n
A hash function<\/h2>\n\n\n\n
In 1940 Hans Peter Luhn from IBM developed systems for data analysis, including data storage, transfer, and search for text information. It resulted in designing \u200b\u200btransformation algorithms and then hashing data to find phone numbers and text. These were the first steps in computer science.
<\/p>\n\n\n\nNow there is a big number of hash algorithms that are distinguished by their collision resistance, calculation speed, bitterness, and other characteristics.
<\/p>\n\n\n\nWe are used to thinking that hash functions are similar to cryptographic hash functions. This is a common tool that serves for different goals, like:<\/p>\n\n\n\n
- Authentication<\/li>
- Electronic signature<\/li>
- Malware detection (files, IOCs)<\/li><\/ul>\n\n\n\n
Let\u2019s find out how hash algorithms help to fight against malicious objects and documents.
<\/p>\n\n\n\nWhat is a hash?<\/h2>\n\n\n\n
A cryptographic hash function, also called a hash, is a mathematical transformation that maps data to a bit string with numbers, letters, and a fixed size.
<\/p>\n\n\n\nA hash is collision resilient, if: <\/p>\n\n\n\n
- You can\u2019t restore the input data using a hash.<\/li>
- It\u2019s challenging to get identical hashes from different input data.<\/li><\/ol>\n\n\n\n
MD5, SHA-1, and SHA-256 are the most popular cryptographic hash algorithms to detect and attribute malware samples. Not long ago malicious objects were recognized only by signatures (a hash) of the executed file.
<\/p>\n\n\n\nHowever, in the modern world, it is not enough just to know the hash of the object as it\u2019s quite a weak indicator of compromise<\/a> (IOC). IOCs are artifacts that are used to detect malware. For example, IOCs can be registry presets, downloaded libraries, IP addresses, used ports, and a URL.
<\/p>\n\n\n\nLet\u2019s have a look at David Bianco\u2019s Pyramid of Pain. This cybersecurity analyst described the level of IOCs\u2019 difficulty that hackers use during attacks. In one case, if you know the MD5-hash of a malicious file, it is quite easy to detect it in the system. However, it will cause no pain to attackers. They will add one more bit of data to malware and the hash will change. In this scenario, a virus can be altered endlessly and each copy will have a different hash from others. <\/p>\n\n\n\n
<\/figure>\n\n\n\n
If you deal with numerous malicious samples, it becomes clear that most of them are not original at all. Cybercriminals often borrow or buy the source codes from each other and use them in programs of their own. It\u2019s a common practice when malware appears in the wild, and a lot of fake versions made of available fragments come up.
<\/p>\n\n\n\nHow to identify similarities of different malware samples of one family? There are special algorithms of hash calculation that aim to find these similarities. For example, fuzzy hashing. This technique finds repeated fragments of malware that belong to specific families. <\/p>\n\n\n\n
What does fuzzy hashing stand for?<\/h2>\n\n\n\n
If an algorithm of a cryptographic hash function involves the smallest change of input data, even a bit of information, the hash transforms completely, too. Here we can say that fuzzy hashes are more preferable in regard to minor changes in a file such as c2 server, configuration information and so. And these alterations aim at a small part of the fuzzy hash compared to the cryptographic one. That is why these functions allow detecting new malware modification more effectively and don\u2019t require a large number of resources for calculation.
<\/p>\n\n\n\nSo-called \u201cFuzzy hashing\u201d is a set of methods to preserve the similarity of hash functions or similarity digest. It is also a type of compression function for computing the similarity between individual files. Fuzzy hashing uses context-triggered piecewise hashing (CTPH).
<\/p>\n\n\n\nThe classification of fuzzy hashing is pretty wide.
<\/p>\n\n\n\nAccording to workflow, algorithms can be: <\/p>\n\n\n\n
- piecewise hashing, <\/li>
- context triggered piecewise hashing, <\/li>
- statistically improbable features, <\/li>
- block-based rebuilding.<\/li><\/ul>\n\n\n\n
According to the type of processed data, there are the following types:<\/p>\n\n\n\n
- Bit<\/li>
- Syntax<\/li>
- Semantic<\/li><\/ul>\n\n\n\n
But if we talk about fuzzy hashing, there is one method that is used the most \u2013 CTPH.
<\/p>\n\n\n\nThe SSDeep program was designed by Jesse Kornblum for computer forensics. It is based on the spamsum code. SSDeep computes several traditional cryptographic hashes of a fixed size and specific file fragments. This way the program identifies similar objects.
<\/p>\n\n\n\nHow does SSDeep work?<\/h2>\n\n\n\n
The program consists of the following steps:
<\/p>\n\n\n\n- It divides a file into smaller parts and analyzes them, not the whole file. <\/li>
- It can identify file fragments that have similar bit sequences and order. Also, it can work with bits of 2 sequences where they can differ according to length and value. <\/li><\/ol>\n\n\n\n
SSDeep works with different kinds of malicious content including executable files, malicious documents, and others. Today we will focus on malicious documents to better illustrate this approach. <\/p>\n\n\n\n
How can we identify malicious files\u2019 similarities with SSDeep? <\/h2>\n\n\n\n
If you go to ANY.RUN Public Submissions, you can find a huge collection of samples there. We will investigate malicious documents, use the \u201cmaldoc-42\u201d tag to find the samples we mention today. <\/p>\n\n\n\n
<\/figure>\n\n\n\n
Let\u2019s run one sample. Here is an excel file with quite a distinct picture with DocuSign written there. If we open one more sample<\/a>, with a different hash we can see the DocuSign template again. Does it mean that these different samples have similarities? <\/p>\n\n\n\n
<\/figure>\n\n\n\n
<\/figure>\n\n\n\n
We took 11 samples of maldocs and each analyzed object has a unique cryptographic hash sum MD5.<\/p>\n\n\n\n
<\/p>\n\n\n\n
Using SSDeep we can calculate the piecewise hash of each file and save it.<\/p>\n\n\n\n
<\/figure>\n\n\n\n
Maldocs files have different and similar hash fragments.
<\/p>\n\n\n\n<\/figure>\n\n\n\n
Fuzzy hash can also be found in ANY.RUN\u2019s Static Discovering window by SSDeep name.
<\/p>\n\n\n\n
![\"\"\/](\"https:\/\/lh5.googleusercontent.com\/0ZvnP-mc17lGExkLPECRXK5Az3dc6Abmaeha-hXXWujxSEKBAgiY7tHnrT00yfFNaSgD5NDXoi6HQo4tiRkUh_A6JFVxKoBdsb1Ho3QVUZIYKxopad-TU-gB3Hw1yg2sm_tIiwUO\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/lh4.googleusercontent.com\/xobMW4t8Q46pM-K3u0MGNcWPtbMgYFV4RRbffqWbJqDVg10GIwbzzU750f2-0jjtGJTQIMloQxh-0Nd0JjbRt1jG6tAqF-cKNxT1SihrtS_YqG2Gb0jpu7QYiYyk1KM8g54vP_5a\")
<\/figure>\n\n\n\n