InfoconDB

Presented at BSides Austin 2016, April 1, 2016, 10:30 a.m. (60 minutes).

During this talk I will share techniques I use to speed the triage and analysis of binaries. These techniques include variants of Section hashing, Segment Hashing, and Position Independent Code (PIC) function hashing. The presentation will include applied results from using these techniques, including comparing samples for shared code clones and family analysis, sorting large piles of Mac malware. I've found better success using some of these hashing techniques to group a large corpus of files for further analysis, than I have with "traditional" fuzzy hashing. Other techniques (PIC hashing) can be used for comparing files as well as speeding the binary analysis of compiled code. All of these techniques can be implemented with simple Python programs and a data store back end of your choice (my current backend is Elastic Search). The presentation also includes pitfalls, hurdles, and analytical dead ends encountered during the use of these techniques.

Presenters:

Aaron Shelmire
Aaron Shelmire began his professional trip into the security world in 2004 after supercomputers he worked on were hacked during the Stakkato incident. Since then he completed his Masters degree in Information Assurance at Carnegie Mellon University(CMU), left the supercomputing centers for CERT/CC where he built network and link analysis tools, performed malware analysis and some IR. He then performed targeted IR, threat hunting, malware analysis, and helped build a endpoint threat detection system at Dell SecureWorks' Counter Threat Unit while adjunctly professing at CMU. He is now a Sr. Security Researcher at ThreatStream Labs advancing the state of their platform from malware analysis, IR and threat hunting view points.

Sections, Segments, and Functions, oh my! Hashing your way to analytical shortcuts.

Presenters:

Links:

Similar Presentations: