By Chia Ching Fang and Shih-Hao Weng (Threat Researchers)
In malware research, threat hunting and sharing of threat intelligence, such as exchanging indicators of compromise (IoCs) in the form of hashes (e.g., MD5s, SHA256s), are common industry practices and helpful for information security professionals. Researchers, for instance, would typically search for malware samples on VirusTotal using hashes. However, hashes have some characteristics that could limit researchers trying to do file or threat correlation, such as the one-to-one relationship between a file and its hash. To overcome this, other hashing techniques, methodologies, and tools have been proposed, such as ssdeep, sdhash, imphash, and even our own Trend Micro Locality Sensitive Hashing (TLSH) — and they can indeed help researchers find and identify the similarities between binary files. These approaches use binary as a point of view.
Alternatively, researchers use other methodologies, such as using graphs as a point of view, to compare an executable file’s characteristics with others. For example, zynamics’ BinDiff does this by taking and viewing a bigger picture of an executable to see the similarities or differences between two executable files. This approach processes two files at the same time.
Our research, which we’ve named “Graph Hash,” builds on the advantages of these two approaches by calculating the hash of executable files using a graph view, which would help in classifying malware more ..
Support the originator by clicking the read the rest link below.
