By: Mariano Graziano, Jonas Zaddach

Scheduled on: June 17 at 10:30

While research on automated malware clustering is plentiful, the exercise of finding usable signatures for detection is left to the reader. Solutions proposed by academia have come and gone, none of them giving us a system for generating malware signatures which is open and available for tinkering.

In this work, we took bits and pieces from several projects to put together BASS, the BASS Automated Signature Synthesizer. Components are encapsulated in containers, allowing for the maintainability and scalability required for large-scale signature generation. In a nutshell, the system finds code similarities between samples of a malware cluster using binary diffing techniques on the code flow level. To this end, state-of-the-art binary diffing tools such as Bindiff and Kam1n0 as well as IDA Pro are used.

From common byte sequences in the identified malicious code, the system generates signatures for the open-source virus scanner ClamAV. BASS is a necessary framework for the modern AV industry that is overwhelmed by millions of samples per day and needs quick and precise coverage for emerging threats as well as polymorphic malware families. BASS will be released on Github after the presentation.