Finding the Needle: A Study of the PE32 Rich Header and Respective Malware Triage
نویسندگان
چکیده
Performing triage of malicious samples is a critical step in security analysis and mitigation development. Unfortunately, the obfuscation and outright removal of information contained in samples makes this a monumentally challenging task. However, the widely used Portable Executable file format (PE32 ), a data structure used by the Windows OS to handle executable code, contains hidden information that can provide a security analyst with an upper hand. In this paper, we perform the first accurate assessment of the hidden PE32 field known as the Rich Header and describe how to extract the data that it clandestinely contains. We study 964,816 malware samples and demonstrate how the information contained in the Rich Header can be leveraged to perform rapid triage across millions of samples, including packed and obfuscated binaries. We first show how to quickly identify post-modified and obfuscated binaries through anomalies in the header. Next, we exhibit the Rich Header’s utility in triage by presenting a proof of concept similarity matching algorithm which is solely based on the contents of the Rich Header. With our algorithm we demonstrate how the contents of the Rich Header can be used to identify similar malware, different versions of malware, and when malware has been built under different build environment; revealing potentially distinct actors. Furthermore, we are able to perform these operations in near real-time, less than 6.73 ms on commodity hardware across our studied samples. In conclusion, we establish that this littlestudied header in the PE32 format is a valuable asset for security analysts and has a breadth of future potential.
منابع مشابه
BitShred: Fast, Scalable Malware Triage
The sheer volume of new malware found each day is enormous. Worse, current trends show the amount of malware is doubling each year. The large-scale volume has created a need for automated large-scale triage techniques. Typical triage tasks include clustering malware into families and finding the nearest neighbor to a given malware. In this paper we propose efficient techniques for largescale ma...
متن کاملNurse-Physician Agreement on Triage Category: A Reliability Analysis of Emergency Severity Index
Background and Objectives: MThe Emergency Severity Index (ESI) triage is commonly used in clinical settings to determine the patients’ emergency severity. However, the reliability of this index is not sufficiently explored. The present study examines the inter-rater reliability of ESI by comparing triage ratings as performed by nurses and physicians. Methods: This prospective cross-sectional st...
متن کاملHTTP header heuristics for malware detection
Sophisticated!malware,!such!as!those!used!by!Advanced!Persistent!Threat!(APT)! groups,!will!attempt!to!avoid!detection!wherever!and!whenever!it!can.!However,! even!the!stealthiest!malware!will!have!to!communicate!at!some!point,!and!when!it! does!so,!it!provides!an!opportunity!for!detection.!This!paper!looks!at!a!number!of! techniques!to!identify!the!presence!of!malware!which!attempts!to!masquer...
متن کاملPE-Header-Based Malware Study and Detection
In this paper, I present a simple and faster apporach to distinguish between malware and legitimate .exe files by simply looking at properties of the MS Windows Portable Executable (PE) headers. We extract distinguishing features from the PEheaders using the structural information standardized by the Miscrosoft Windows operating system for executables. I use the following three methodology: (1)...
متن کاملThe Effect of Smartphone-based Training of Triage the Knowledge and Decision Making of Emergency Nurses
Background and Objectives: The rapid and accurate triage of patients is the key to success in patient care and to enable the identification of patients in need of emergency care. Therefore, this study was conducted to determine the effect of smart triage training on nurses' knowledge and decision making. Materials and Methods: This quasi-experimental study was conducted with a pre-test and pos...
متن کامل