A project focused on automating the process of classifying malicious software found that many programs have similar ancestors but that the names assigned by security firms don't always highlight common code.
The project, pursued over the past few weeks by Sabre Security, used the company's reverse engineering tool to identify the functional components in more than 200 samples of malicious code. Using a clustering algorithm, the samples were classified into code families, forming two large clusters, three smaller ones and several pairs of siblings and outliers.
Of the two major families, the most distant relatives were 75 percent and 58 percent similar. If the latter cluster were divided, it could form two families that were at least 90 percent similar, Sabre found.
The analysis discovered that several threats identified by different names among antivirus vendors are, in fact, very similar, Halvar Flake, head of researcher and founder of Sabre Security, stated in comments to his blog. For example, Padobot and some variants of Korgo appear to be closely related, as do GoBot and Ghostbot. On the other hand, Sasser.B and Sasser.D are only 68 percent similar, according to Sabre's analysis.
Exploring the utility of automated disassembly tools into automated malicious code classification could eventually prove a boon to consumers, if it can be used to standardize on a naming scheme amongst security companies. The plethora of names for some high-profile viruses and malicious code has caused confusion in the past, though the Common Malware Enumeration project aims to assign IDs to a small number of threats to aid responders.
Posted by: Robert Lemos