Dismiss this notice
EaseUS Partition Master Professional Halloween 2020 Giveaway - [Only registered and activated users can see links Click here to register]

Dismiss this notice
SoftMaker Office Standard 2021 Halloween 2020 Giveaway - [Only registered and activated users can see links Click here to register]

Dismiss this notice
Advanced Uninstaller PRO Halloween 2020 Giveaway - [Only registered and activated users can see links Click here to register]

Dismiss this notice
O&O Defrag 24 Professional Halloween 2020 Giveaway - [Only registered and activated users can see links Click here to register]

Dismiss this notice
O&O DiskImage 16 Professional Halloween 2020 Giveaway - [Only registered and activated users can see links Click here to register]

Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
VirusTotal - Why is similarity so relevant when investigating attacks
#1
Bug 
Quote:
[Image: VTBLOG-LOGO.jpg]

The concept of similarity is pretty straightforward: are two files similar? There are many ways to figure it out. That's why different similarity algorithms exist. Now, why is this useful? 
 
Attackers need tools for their attacks, basically malware. Malware in the end is a piece of software, built from frameworks, code and libraries, and takes some time and expertise to create. The result is that two different malware files built from the same developer using the same pieces will look alike.

Imagine you are investigating some attack and you find some suspicious file. After taking a look in VirusTotal, you find nothing really meaningful about the file itself. One idea at this point would be finding similar files: maybe the attacker used similar malware in other campaigns than the one under investigation, and maybe these files will tell more about the infection chain and infrastructure. Here is where similarity comes handy!

Additionally, the same approach can be applied to attribution. We find some malware that looks new, there are no references about it. Can we find similar malware? Maybe the new artefacts will tell more about the author, maybe they are well-known by the security industry. This is how attribution is built in many cases.

There are many situations where similarity becomes useful. We can always reduce the problem to the following: IOCs can easily be replaced, malware frameworks not. 

If you want to know more about how to use similarity in real cases, join us next November 25th for our “Similarity brings your threat hunting to the next level” webinar with TrendMicro and Trinity Cyber. Register [Only registered and activated users can see links Click here to register]. 

In this blogpost we will discuss some interesting ideas of what can be done with similarity in VirusTotal.

File similarity in VT

You came across the following sample [Only registered and activated users can see links Click here to register] within your network and you want to find some context. Crowdsourced sigma rules already warn that something fishy might be going on. 
[Image: PBfQ1AqJJzcNkLRboyoaCJua36BOyAkuWRp6Fasx...NI7qk3UuCQ]
 
At this point we want to get a better understanding of the whole picture, which means getting more artifacts. When we run out of indicators, similarity to the rescue!

How to find similar samples? Right from the Details panel in the sample report there are several hashes that correspond to the output of different similarity algorithms: vhash, authentihash, imphash, rich PE header hash, ssdeep and TLSH:
 
[Image: 327bzUq6YDGWF9KMicCzt8yLSGwve1oXhZH5S7Qg...w4kZTHnhlw]

It is important to understand that different similarity algorithms provide different results. Choosing the right similarity many times depends on the samples we are working with, that's why sometimes it is just easier to check them all at the same time and take a look at the results.

Clicking on any of the hashes shown in the report will return all similar samples. In this case, vhash returns 57 additional files, imphash finds no other hits and rich PE header hash returns around [Only registered and activated users can see links Click here to register] (we can spot potential non-malicious files adding the search operator positives:0).
...
[Only registered and activated users can see links Click here to register]
[-] The following 1 user Likes harlan4096's post:
  • silversurfer
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username:


Password:





[-]
Recent Posts
GFYI [Official] O&O DiskImage 16 Profes...
Share feedback about...mjcn19 — 12:06
Qihoo 360 Total Security 10.8.0.1200
10.8.0.1200 releas...harlan4096 — 09:17
Avast_Security_News: The return of the M...
News on the (ma...harlan4096 — 09:00
Avast Blog_Tips & Advices: 5 tips for sa...
Let's face it: ...harlan4096 — 08:57
Avast_Security_News: Eliminating violenc...
In abusive rela...harlan4096 — 08:54

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
harlan4096's profile harlan4096
Administrator

>