Geeks for your information Security Security Vendors G Data G DATA Security Blog v
Introducing the TypeRefHash (TRH)
Introducing the TypeRefHash (TRH)
harlan4096 Online
MalWare Zoo Team
*******
Posts: 16,478
Threads: 10,390
Thanks Received: 9,394 in 7,540 posts
Thanks Given: 10,381
Joined: 12 September 18
#1
Bug  25 June 20, 10:44
Quote:
[Image: G_DATA_MalwareNamingHell_Header.jpg]

We introduce the TypeRefHash (TRH) which is an alternative to the ImpHash that does not work with .NET binaries. Our evaluation shows that it can effectively be used to identify .NET malware families.

IntroductionThe ImpHash was introduced in 2014 by FireEye [1]. It has since been used by many malware analysts and implemented in tools like VirusTotal to identify similar malware samples by their imports. In theory, if programs use the same imports, they use similar source code. 

.NET samples usually only import mscoree.dll, such that there is only a handful of different ImpHashes for all .NET binaries. Therefore, the ImpHash cannot be used here. This motivated us to find an alternative, the TypeRefHash (TRH). To show the imported DLLs, functions and the TypeRef table, we used the online tool penet.io.

.NET files store imported namespaces of their referenced types in a so-called Metadata table. We can use these to construct an identifier like the ImpHash. Similar to the combination of DLL/function name in the Import table, the TypeRef table contains a list with type names and their corresponding namespace. For example a .NET binary may import the type DebuggerBrowsableState from the namespace System.Diagnostics.

Calculation

To calculate the TRH we extract the TypeRef table and resolve the indices to the corresponding strings. 
  1. Order the entries by TypeNamespace and then by TypeName
  2. Concatenate the TypeNamespaces and TypeNames with a dash. In case that the namespace is empty, the concatenated string starts with the dash. 
  3. Join all strings with commas and calculate the SHA256 hashsum of the resulting UTF8 byte-string. 
We use SHA256, instead of MD5 which is used for the ImpHash, as we already see MD5 collisions on our data sets. We order the entries in the table to prevent attacks where a different TypeRefHash could be created for a sample by just reordering the table. A similar attack was shown for the ImpHash by Balles and Sharfuddin [2]. We chose a dash and a comma as the seperators, as they are not valid in namespaces and type names in .NET.
...
Continue Reading
Find
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:

[-]
Recent Posts
Nvidia GeForce Game Ready Driver 610.52 ...
Nvidia GeForce Gam...harlan4096 — 07:41
Mozilla Firefox Browser 151.0.4
Mozilla Firefox Br...harlan4096 — 07:39
Adobe Acrobat Reader DC 26.001.21662
Adobe Acrobat Read...harlan4096 — 07:38
PowerToys v0.100.0
Release v0.100.0 ...harlan4096 — 07:37
Brave 1.91.171 (Chromium 149.0.7827.103)
Release v1.91.171 ...harlan4096 — 07:36

[-]
Birthdays
Today's Birthdays
avatar (38)Barrackleve
Upcoming Birthdays
avatar (39)Tedscolo
avatar (46)brakasig
avatar (45)JamesReshy
avatar (47)Francisemefe
avatar (40)leoniDup
avatar (39)Patrizaancem
avatar (39)biobdam
avatar (40)Julioagopy
avatar (50)aolaupitt2558
avatar (40)storoBox
avatar (48)kinotHeemn
avatar (39)Ceballos1976
avatar (40)efynu
avatar (32)horancos

[-]
Online Staff
There are no staff members currently online.

>