Closed Bug 908712 Opened 11 years ago Closed 2 years ago

Identify likely malware DLLs through statistical analysis

Categories

(Webtools Graveyard :: Dragnet, defect)

Product:
Webtools Graveyard
Component:
Dragnet
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: brandon, Unassigned)

References

Details

One of the problems that we have with malware is that it offers sufficiently random names that we can't say "X file is malware, remove it."

However, assuming that the files are identical (just that the names are different), the debug ID and MD5 hash should also be identical across multiple, differently named files.

It should therefore be possible, with these two bits of data, to identify likely malware components by counting how many differently named files have the same MD5. We can come up with a threshold, and tag likely malware as such.

We can then use this information in a variety of good ways, like in FHR and the Magic 8 Ball.
Product: Webtools → Webtools Graveyard

This bug lies at rest in the graveyard.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.