Automatic Malware Signature Generation

Automatic malware signature generation The need for automatic and heuristic methodologies to produce malware signatures is still very high, especially considering the huge amount of malwares produced daily. This thesis aims at studying a tool for the automatic signature generation of malicious executables. As most of the business lies on the Microsoft Windows Operating System, the tool developed in this work specifically targets Windows Portable Executables. During the years, several automatic malware detection procedures have been introduced and attempted, most of which trying to discern malicious samples from benign ones; on the contrary, the main goal of the designed tool is the creation of signatures that are capable of synthesizing common features among the set of malwares provided. It is well known that, nowadays, malwares strongly rely on packers and on obfuscation techniques, that hide the original source code and prevent analysts to run the executable under a controlled environment so to track its behavior. For this reason, the tool focuses on the features that are actually more resistant to packers and obfuscation tampering (i.e. fields of the executable header and resources). An innovative approach of this work for the signature generation is the possibility of using already written signatures as part of the malwares features, possibly written by domain experts. The aim of this set of features is to cover, as much as possible, the features not natively supported by the tool, relying on already tested and effective ones. Examples of these features are strings and opcodes, for which, the automatic extraction of significant elements is not trivial. To deal with the huge amount of malwares affecting the Windows Operating System, the tool is provided with a preliminary clustering approach, that aims at creating small clusters from which extracting meaningful signatures. The signature generation is performed on each cluster resulting from the previous step and it consists of two procedures that solve, with greedy methodologies, the set cover problem. Experimental results and comparisons with other signature generation tools showed promising results with respect to the current situation and evidence the generation of rules that are actually sufficiently targeted for the training samples while, at the same time, being flexible enough to find new positives that have been confirmed to be malicious. Finally, the usage of already written signatures as malware features allows, in several occasions, to drastically decrease the amount of false positives produced.