Malware Signatures - O-LavenderAshburn/Knowledgebase_MalwareAnalysis GitHub Wiki

Malware signatures are things that allow malware to be identifiable. These signatures can be behavioral (Created processes/files/registry keys etc), Static (strings, byte sequences, and hashes). Malware signatures can also be network based.

Host Based Signatures:

  • Based on static attributes of the malware binary.
  • Includes specific strings, byte sequences, and hash values that uniquely identify the malware file.
  • Example: A hash (e.g., MD5, SHA-1) of a file can be used to identify an exact version of malware.
  • Can be in the form of strings found in the binary relating to file paths or ip addresses.
  • File Metadata: Malware can sometimes be identified through metadata such as timestamps, file size, and embedded author information.
  • Code Patterns: Some host-based signatures rely on recognizing specific code structures, API calls, or function imports that are commonly used by malware.
  • Behavioral Indicators: While host-based signatures are typically static, some systems may include behavioral heuristics, such as detecting registry modifications or unauthorized file system changes.

Network Based Signatures:

  • Based on network activity and traffic patterns specific to the malware.
  • Involves analysis of unusual network traffic, such as communication with known Command and Control (C&C) servers or websites hosting more malicious software.
  • Deep Packet Inspection can be used to detect malicious payloads in network traffic.
  • Protocol Anomalies: Malware often abuses protocols (e.g., unusual HTTP headers, malformed DNS queries) to communicate with C&C servers.
  • Encrypted Traffic Analysis: Even if malware encrypts its traffic, patterns such as beaconing intervals, domain generation algorithms (DGA), or the use of unusual ports can be signature indicators.
  • Outdated protocol use can be exploited

YARA

YARA (Yet Another Ridiculous Acronym) is an open-source tool used for detection and classification for malware. It allows for rule-based malware detection, making it a powerful tool for threat classification and forensic analysis. YARA is cross platform and allows for a wide variety of rule definitions to identify malware from its signatures.