Malware similarity search

http://sarvam.ece.ucsb.edu/home

http://www.simseer.com/ (review)

 

Nice find

 

Thanks .

By the way, does Simseer work for anyone?

 

Hi! I'm Laks, one of the developers of Sarvam.

Thanks MrBrian for sharing the link. And thanks Windows_Security for the feedback. I think it should be easy to add the Virustotal detection ratio in our output. We will update it soon.

I've used Simseer a few months back and that time there was no login (if I remember correctly). But if you're interested in clustering malware and visualizing the clusters, I wrote a blog (along with Python code) on how to cluster a malware dataset and visualize the clusters. The link is: Clustering a Malware Corpus (http://sarvamblog.blogspot.com/2013/04/clustering-malware-corpus.html)

I can also give a brief introduction on our Malware Similarity project. Rather than doing traditional static code analysis or dynamic analysis, we convert the malware binaries to grayscale images and fingerprint them using image similarity fingerprints. This allows the system to easily scale up to millions. Our current corpus has 4 million+ samples. These fingerprints capture the structural/visual similarity and easily finds malware variants. Another advantage is the query time taken to find a match is only 2-3 seconds. On average, our system has been able to find 50% of malware variants since it became public in mid 2012. More details can be found at our blog: Finding Visually Similar Malware among Millions of Malware..

One caveat to note is that our system is NOT a malware analysis service, but it only aids in finding structurally/visually similar malware.

I will be really happy to answer any questions and will also appreciate any feedback/suggestions.

 

@laks_man: thank you for your post and work . Do you know of any other similar services available to the public?

 

I don't think there are too many public services for malware similarity. There is Clonewise by the same authors of Simseer.
VILO used to be online but is currently inactive (not sure if they'll bring it back up).
Malware Hash Registry by Team Cymru is good for looking up hash. There is another tool, totalhash which does the same (and also has some nice graphs)

For other general security resouces, I find these 3 links have a comprehensive list:
it-sec-catalog
Malware Analysis Resources by grand stream dreams
Probably the Best Free Security list in the World

 

Bright idea to categorize malware using graphics and available engines to compare similarity. Few testing statistics I saw had very high and very low results, indicating it could actually work in daily practice.

Just wondering whether, those five top matches, are dynamically determined or fixed categories? I forgot to save results (otherwise I could have checked visually ). Some explanation on how to interpret the results could not harm either.

Thanks for responding in this forum

Regards Kees

 

Hi Kees,

Great question! The matches are dynamically determined, but the categories are static in our current implementation. We obtain the AV labels from Virustotal beforehand and based on the detection ratio, we give categories (malicious/benign) to the matches.

The interpretation of the results are briefly explained in our blog: http://sarvamblog.blogspot.com/2013/10/finding-visually-similar-malware-among.html