Challenging conventional wisdom on byte signatures

Thomas Dullien zynamics
Ero Carrera VirusTotal/zynamics
Christian Blichmann zynamics
Soeren Meyer-Eppler zynamics

We have heard 'byte signatures suck' from all directions. But do they really?

The motivation for this talk is the realization that the underlying problem with both byte signatures and most other 'proactive' security mechanisms is not the fact that they are inherently bad technologies, but that the attacker has full access to them prior to launching an attack. This means that the attacker gets unlimited test runs that allow him to make sure the actual attack will be successful.

This talk will discuss sophisticated algorithms that are extensions of the work done by Carrera/Erdelyi at VB2004 that automatically classify new malicious software by graph similarity. Furthermore, the classification results then serve as input to other algorithms that can automatically construct 'classical' byte-based AV signatures that match on the entire cluster of malware. The discussed algorithms work on oligomorphic malware without adjustment (a signature automatically generated from just 19 Swizzor samples caught more than 1,000 other variants). The false positive rate of these signatures has been shown to be very low.

The presented algorithms not only allow the construction of 'classical' byte signatures, but the construction of large quantities of such signatures (thousands, in most cases).

The capability to automatically generate large quantities of signature 'variants' allows an inversion of the situation: different user groups can get different signatures, and signatures can be 'mutated' frequently. This changes the situation quite fundamentally: the attackers can no longer 'test' their malware properly, as the signatures they are testing against today will no longer be the signatures that are deployed tomorrow.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.