Bryan Lu Fortinet
download slides (PDF)
Despite researcher curiosities about how each and every type of malware works, the cyber world still suffers a deluge of more than thousands of malware per day. Malware packers and encoders are building an outer shell for these massive malicious files in order to try and drop the detection rate. Looking at the assortment and properties of these files, rather than the files alone, could prove promising in thwarting these efforts and increasing detection rates. Unbelievable as it may seem, 'PE_Patch', the top one packer for executable files is only 5% detected by a few anti-malware vendors. Aside from the packer, investigating on the file properties particularly, its size, can elaborate and expand the details of the collections. Roughly 97% of malware discovered in 2006 was below one megabyte in size. Through incorporating these two facets - packer and file size - on the design of security products, detection and performance rate are undeniably going to improve.
In such cases, deeper inspection of each piece of malware is half of the story in mitigating threats. The presentation shows how looking into a collection of malware as a whole and grouping those by its properties can add significant improvement on detection and performance. Besides being purely statistical, this may be viewed as food for refined heuristics.