Identify likely malware DLLs through statistical analysis

NEW
Unassigned

Status

Webtools Graveyard
Dragnet
5 years ago
2 years ago

People

(Reporter: brandon, Unassigned)

Tracking

Trunk
x86
Mac OS X

Details

(Reporter)

Description

5 years ago
One of the problems that we have with malware is that it offers sufficiently random names that we can't say "X file is malware, remove it."

However, assuming that the files are identical (just that the names are different), the debug ID and MD5 hash should also be identical across multiple, differently named files.

It should therefore be possible, with these two bits of data, to identify likely malware components by counting how many differently named files have the same MD5. We can come up with a threshold, and tag likely malware as such.

We can then use this information in a variety of good ways, like in FHR and the Magic 8 Ball.
(Assignee)

Updated

2 years ago
Product: Webtools → Webtools Graveyard
You need to log in before you can comment on or make changes to this bug.