alk e]ee ReversingLabs Hashing Algorithm PREDICTIVE MA, ETECTION ‘Traditional hashing algorthms (2.g. MDS, SHA-1) provide an important too! for security applications. although cermonly used for white and black isting traitional hashes have significant drawbacks for detecting malware, First, a malicious fle must be seen before a hash ‘can be created so polymorphic attacks are nat detectable. Second, hashes are fragile enabling sonsequential changes to fies to avoid detection malware author tomake Hashing Algorithm (RHA) add jas have the same RHA hash when they inteigently ha re functionally similar. This are detection. One RHA though each has & vatiant because itis, n Further, RHA wil functionally similar to known mal HOW RHA WORKS RHA enables correlation of files based on functional featur attributes include specific header infermation, fle layout and functional file information (2.9 relationships.) RHA calculates functional similarity at four ‘Precision Lé 100%, each based on an increasing numberof attributes, Precision Level represents the degree that leis functionally similar to another file. higher Precision Level will match fewer files but the files will have more functional silty. >>>v009099 KKKKEK KKK table fle format. First, format spec chas: structure, layout, content, symbols, functionality andre ributes of each category for similarity ate y for each format but usually entail data sorting and simplification. Level so that functionally related flVALIDATION ‘The effectiveness of RHA was tested using 7.75M unique malware samples that were detected as part ofthe Zeus malware family by atleast one antivirus vendor. The samples were processed with the algorithm at me lowest precision level resuting in 47k unique RHA hashes. Tis effectively reduced the working malware set size by 93% \We expected 2 reduction in sample uniqueness for members of the same malware family but dnt expect the magnitude of reduction. We analyzec the sample cate to Letter understand why the effeotiveness was so high. We sterted with the hashes that yielded the most matches, The folowing plat shows the numiser of unique binaries that map to a single RHA hash atthe lowest Precision Level NUMBER OF FILES THAT ARE ASSIGNED TO A SINGLE RHA HASH ‘The top matching RHA fle sarrple showed that our best match wasnt on a particular maliar= family but on a packing wrapper used to mask the tue attack This was not acommon offhe-shett packer such as UPX.but a custom packing solution developed exclusively ta hide malware presence ‘ince packing can obscure detections and thelr malware family groupings, we tuined to antivirus solutions to sae how they classified the top match, The following graph shows the normalized threat ares forthe 100k fies of the most prevalent RHA hash. There wasnt a consensus onthe treat name and only one antivirus vendor classified these samples as Zeus. Since i's clear thatthe packing layer interfres with proner detections, weve upcraded our TtaniumCore solution ta suppert this custom packing solution we call epFlush. THREAT NAME BREAKDOWN FOR THE BEST RHAT HASH i badUnpacking the fles showed that the top match was so using multiple packing layers, The number cof corrupted and incorrectly packed files was low, so we could successfully unpack 95% of the samples. Comparing the RHA of files at each ayer of packing showed they remained within the ‘same functional hash buckets. Ths indicates thatthe cifferances between these files wera indeed) minor. lA, even at the oviest precision lave, showed na eolsions with whitelisted files and therefore was safely applied to our automatic RHA cloud classification, The custorn packer was blacklisted using its format signature RHA enables us to detect multiple malware families that use it CONCLUSION HA provides 2 new security fool fr effectively detecting present and future malware The power of this toot is multialied when used with an extensive file reputation database lke TitaniumCloud. This ‘combination enables large-scale detection of new malware variants through functional similanity to known malware