Saturday, December 14, 2024
HomeComputer SecuritySSDEEP - Fuzzing Hashing Techniques to Detect Unknown Malware

SSDEEP – Fuzzing Hashing Techniques to Detect Unknown Malware

Published on

SIEM as a Service

AV vendors use various tools and techniques to identify the newly launched malware from the advisory. Before driving into reversing a malware or dynamic analysis. AV vendors always go with fuzzy hashing techniques (Machine learning) to quickly find the file is malicious or legit.

What is SSDEEP hashing?

Identifying the identical files using context triggered piecewise hashing (CTPH) technique. This program is effective in comparing the content similarity searches with existing well-known malware database.

Example: This is ransomware.

- Advertisement - SIEM as a Service

This is also a new ransomware.

Highlighted text indicates that ssdeep is capable to find and compares identical files with existing data.

Let’s do some practical work both as offender and defender to understand things better.

Offender Mindset :

Assume a scenario that you are a good programmer to reverse an existing malware binary and rewrite additional malicious codes to change the integrity ( HASH ) and do some code obfuscation.

Here we have a well-known Trojan called Njrat. Which is also called a RAT (Remote Access Trojan) which controls a compromised machine.

SSDEEP
njRAT in Hex Editor

Above is the program which I have opened and Hex editor and changed some specific lines without affecting the software functionality.

Later I have used some online tools to obfuscate the software code and making it difficult for a third-party to access your source code (AV Vendors).

Now the real malicious files are ready for the target. Let us test both files before obfuscation and after obfuscation with Virustotal.

Before Obfuscation:

Most of the AV vendors flag this file as malicious 57/70.

After Obfuscation :

When you use various tools (Hex Editor, online software code obfuscation) and techniques to rewrite the code. As a result, we see Only 29/69 says flag this file as malicious and others say as clean.

Defender Mindset:

Malware analyst is still capable to find the rabbit holes, let’s go with the machine learning technique ( SSDEEP ).

AV vendors will have a list of existing well-known malware and its ssdeep hash. Here I have calculated the SSDEEP hash for the original file njRAT v0.7d.exe ( Before obfuscation ). Context triggered piecewise hashing ( CTPH ) is up and ready now.

Comparing the Obfuscated executable with SSDEEP hash

The above-illustrated figure shows.When a list of SSDEEP hashes is available for existing well-known malware and these ssdeep hashes are compared with newly launched malware.

As a result of ssdeep machine learning tell us that 99% of the content is matched with an existing malware sample. I hope now we have marked this unknown file as malicious.

Machine learning is important for all cases in cybersecurity. But still sometimes with highly obfuscated malware, this kind of ML can still struggle and fail in some cases. So reversing an unknown malware will be quite helpful in most of the cases.

Happy Investigation!

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Latest articles

“Password Era is Ending,” Microsoft to Delete 1 Billion Passwords

Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every...

Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks...

Reyee OS IoT Devices Compromised: Over-The-Air Attack Bypasses Wi-Fi Logins

Researchers discovered multiple vulnerabilities in Ruijie Networks' cloud-connected devices. By exploiting these vulnerabilities, attackers...

New Android Banking Malware Attacking Indian Banks To Steal Login Credentials

Researchers have discovered a new Android banking trojan targeting Indian users, and this malware...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

New Android Banking Malware Attacking Indian Banks To Steal Login Credentials

Researchers have discovered a new Android banking trojan targeting Indian users, and this malware...

Antidot Malware Attacking Employees Android Devices To Inject Malicious Payloads

Researchers discovered a new variant of the AntiDot banking trojan targeting Android mobile devices...

Malicious ESLint Package Let Attackers Steal Data And Inject Remote Code

Cybercriminals exploited typosquatting to deploy a malicious npm package, `@typescript_eslinter/eslint`, targeting developers seeking the...