When it comes to spotting malware, signature-based detection, heuristics and cloud-based recognition and information sharing used by many antivirus solutions today work well up a certain point, but the polymorphic malware still gives them a run for their money. At the annual AusCert conference held this week in Australia a doctorate candidate from Deakin University in Melbourne has presented the result of his research and work that just might be the solution to this problem. “Using structures, you can detect approximate matches of malware, and it’s possible to pick an entire family of malware pretty easily with just one structure,” he shared with CSO Australia.
So he created Simseer, a free online service that performs automated analysis on submitted malware samples and tells and shows you just how similar they are to other submitted specimens.
According to the website, Simseer detects malware’s control flow, which changes much less than string signatures or similar features, and polymorphic and metamorphic malware variant usually share the same control flow.
It runs on an Amazon EC2 cluster with a dozen or so virtual servers, and is “fed” by Cesare every night with gigabytes of malware code downloaded from other free sources such as VirusShare.
As said before, it works on any kind of software, and can be used for plagiarism and software theft detection, as well as incident response.