A deeper look at malware - the whole story

Bryan Lu Fortinet

  download slides (PDF)

Despite researcher curiosities about how each and every type of malware works, the cyber world still suffers a deluge of more than thousands of malware per day. Malware packers and encoders are building an outer shell for these massive malicious files in order to try and drop the detection rate. Looking at the assortment and properties of these files, rather than the files alone, could prove promising in thwarting these efforts and increasing detection rates. Unbelievable as it may seem, 'PE_Patch', the top one packer for executable files is only 5% detected by a few anti-malware vendors. Aside from the packer, investigating on the file properties particularly, its size, can elaborate and expand the details of the collections. Roughly 97% of malware discovered in 2006 was below one megabyte in size. Through incorporating these two facets - packer and file size - on the design of security products, detection and performance rate are undeniably going to improve.

In such cases, deeper inspection of each piece of malware is half of the story in mitigating threats. The presentation shows how looking into a collection of malware as a whole and grouping those by its properties can add significant improvement on detection and performance. Besides being purely statistical, this may be viewed as food for refined heuristics.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.