Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
VirusTotal - Why is similarity so relevant when investigating attacks
#1
Bug 
Quote:
[Image: VTBLOG-LOGO.jpg]

The concept of similarity is pretty straightforward: are two files similar? There are many ways to figure it out. That's why different similarity algorithms exist. Now, why is this useful? 
 
Attackers need tools for their attacks, basically malware. Malware in the end is a piece of software, built from frameworks, code and libraries, and takes some time and expertise to create. The result is that two different malware files built from the same developer using the same pieces will look alike.

Imagine you are investigating some attack and you find some suspicious file. After taking a look in VirusTotal, you find nothing really meaningful about the file itself. One idea at this point would be finding similar files: maybe the attacker used similar malware in other campaigns than the one under investigation, and maybe these files will tell more about the infection chain and infrastructure. Here is where similarity comes handy!

Additionally, the same approach can be applied to attribution. We find some malware that looks new, there are no references about it. Can we find similar malware? Maybe the new artefacts will tell more about the author, maybe they are well-known by the security industry. This is how attribution is built in many cases.

There are many situations where similarity becomes useful. We can always reduce the problem to the following: IOCs can easily be replaced, malware frameworks not. 

If you want to know more about how to use similarity in real cases, join us next November 25th for our “Similarity brings your threat hunting to the next level” webinar with TrendMicro and Trinity Cyber. Register here. 

In this blogpost we will discuss some interesting ideas of what can be done with similarity in VirusTotal.

File similarity in VT

You came across the following sample c9b96d5d694e4e25e03d97c7b95eff637525e539b9c47c8eda498f72ecd51b22 within your network and you want to find some context. Crowdsourced sigma rules already warn that something fishy might be going on. 
[Image: PBfQ1AqJJzcNkLRboyoaCJua36BOyAkuWRp6Fasx...NI7qk3UuCQ]
 
At this point we want to get a better understanding of the whole picture, which means getting more artifacts. When we run out of indicators, similarity to the rescue!

How to find similar samples? Right from the Details panel in the sample report there are several hashes that correspond to the output of different similarity algorithms: vhash, authentihash, imphash, rich PE header hash, ssdeep and TLSH:
 
[Image: 327bzUq6YDGWF9KMicCzt8yLSGwve1oXhZH5S7Qg...w4kZTHnhlw]

It is important to understand that different similarity algorithms provide different results. Choosing the right similarity many times depends on the samples we are working with, that's why sometimes it is just easier to check them all at the same time and take a look at the results.

Clicking on any of the hashes shown in the report will return all similar samples. In this case, vhash returns 57 additional files, imphash finds no other hits and rich PE header hash returns around 1.16 million other files in VT (we can spot potential non-malicious files adding the search operator positives:0).
...
Continue Reading
[-] The following 1 user says Thank You to harlan4096 for this post:
  • silversurfer
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
AWZ Screen Recorder
AWZ Screen Recorder ...zevish — 11:05
Website X5 Go 2024.1
Website X5 Go 2024.1...zevish — 09:32
Apple's rules to allow third-party app ...
Apple has announ...alison30 — 09:28
Intel: Microsoft AI PCs need a Copilot K...
Microsoft hopes th...harlan4096 — 08:55
Synchredible 8 Professional Edition v8.2...
          Synchredib...zevish — 08:54

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
There are no staff members currently online.

>