alk e]ee
ReversingLabs Hashing Algorithm
PREDICTIVE MA,
ETECTION
‘Traditional hashing algorthms (2.g. MDS, SHA-1) provide an important too! for security
applications. although cermonly used for white and black isting traitional hashes have
significant drawbacks for detecting malware, First, a malicious fle must be seen before a hash
‘can be created so polymorphic attacks are nat detectable. Second, hashes are fragile enabling
sonsequential changes to fies to avoid detection
malware author
tomake
Hashing Algorithm (RHA) add
jas have the same RHA hash when they
inteigently ha
re functionally similar. This
are detection. One RHA
though each has &
vatiant because itis,
n Further, RHA wil
functionally similar to known mal
HOW RHA WORKS
RHA enables correlation of files based on functional featur attributes include
specific header infermation, fle layout and functional file information (2.9
relationships.) RHA calculates functional similarity at four ‘Precision Lé
100%, each based on an increasing numberof attributes, Precision Level represents the degree that
leis functionally similar to another file. higher Precision Level will match fewer files but the files
will have more functional silty.
>>>v009099 KKKKEK KKK
table fle format. First, format spec
chas: structure, layout, content, symbols, functionality andre
ributes of each category for similarity ate
y for each format but usually entail data sorting and simplification.
Level so that functionally related flVALIDATION
‘The effectiveness of RHA was tested using 7.75M unique malware samples that were detected as
part ofthe Zeus malware family by atleast one antivirus vendor. The samples were processed with
the algorithm at me lowest precision level resuting in 47k unique RHA hashes. Tis effectively
reduced the working malware set size by 93%
\We expected 2 reduction in sample uniqueness for members of the same malware family but dnt
expect the magnitude of reduction. We analyzec the sample cate to Letter understand why the
effeotiveness was so high. We sterted with the hashes that yielded the most matches, The folowing
plat shows the numiser of unique binaries that map to a single RHA hash atthe lowest Precision
Level
NUMBER OF FILES THAT ARE ASSIGNED TO A SINGLE RHA HASH
‘The top matching RHA fle sarrple showed that our best match wasnt on a particular maliar=
family but on a packing wrapper used to mask the tue attack This was not acommon offhe-shett
packer such as UPX.but a custom packing solution developed exclusively ta hide malware
presence
‘ince packing can obscure detections and thelr malware family groupings, we tuined to antivirus
solutions to sae how they classified the top match, The following graph shows the normalized threat
ares forthe 100k fies of the most prevalent RHA hash. There wasnt a consensus onthe treat
name and only one antivirus vendor classified these samples as Zeus. Since i's clear thatthe
packing layer interfres with proner detections, weve upcraded our TtaniumCore solution ta suppert
this custom packing solution we call epFlush.
THREAT NAME BREAKDOWN FOR THE BEST RHAT HASH
i
badUnpacking the fles showed that the top match was so using multiple packing layers, The number
cof corrupted and incorrectly packed files was low, so we could successfully unpack 95% of the
samples. Comparing the RHA of files at each ayer of packing showed they remained within the
‘same functional hash buckets. Ths indicates thatthe cifferances between these files wera indeed)
minor.
lA, even at the oviest precision lave, showed na eolsions with whitelisted files and therefore was
safely applied to our automatic RHA cloud classification, The custorn packer was blacklisted using
its format signature RHA enables us to detect multiple malware families that use it
CONCLUSION
HA provides 2 new security fool fr effectively detecting present and future malware The power of
this toot is multialied when used with an extensive file reputation database lke TitaniumCloud. This
‘combination enables large-scale detection of new malware variants through functional similanity to
known malware