Challenging conventional wisdom on byte signatures presented at Virus Bulletin 2010

by Thomas Dullien (zynamics ),


Summary : "
We have heard 'byte signatures suck' from all directions. But do they really?
The motivation for this talk is the realization that the underlying problem with both byte signatures and most other 'proactive'
security mechanisms is not the fact that they are inherently bad technologies, but that the attacker has full access to
them prior to launching an attack. This means that the attacker gets unlimited test runs that allow him to make sure the
actual attack will be successful.
This talk will discuss sophisticated algorithms that are extensions of the work done by Carrera/Erdelyi at VB2004 that
automatically classify new malicious software by graph similarity. Furthermore, the classification results then serve as
input to other algorithms that can automatically construct 'classical' byte-based AV signatures that match on the entire
cluster of malware. The discussed algorithms work on oligomorphic malware without adjustment (a signature automatically
generated from just 19 Swizzor samples caught more than 1,000 other variants). The false positive rate of these signatures
has been shown to be very low.
The presented algorithms not only allow the construction of 'classical' byte signatures, but the construction of large
quantities of such signatures (thousands, in most cases).
The capability to automatically generate large quantities of signature 'variants' allows an inversion of the situation:
different user groups can get different signatures, and signatures can be 'mutated' frequently. This changes the situation
quite fundamentally: the attackers can no longer 'test' their malware properly, as the signatures they are testing against
today will no longer be the signatures that are deployed tomorrow. "