Visible to the public Biblio

Filters: Author is Borowczak, Mike  [Clear All Filters]
2022-09-20
Cooley, Rafer, Cutshaw, Michael, Wolf, Shaya, Foster, Rita, Haile, Jed, Borowczak, Mike.  2021.  Comparing Ransomware using TLSH and @DisCo Analysis Frameworks. 2021 IEEE International Conference on Big Data (Big Data). :2084—2091.
Modern malware indicators utilized by the current top threat feeds are easily bypassed and generated through enigmatic methods, leading to a lack of detection capabilities for cyber defenders. Static hash-based algorithms such as MD5 or SHA generate indicators that are rendered obsolete by modifying a single byte of the source file. Conversely, fuzzy hash-based algorithms such as SSDEEP and TLSH are more robust to alterations of source information; however, these methods often utilize context boundaries that are hard to define or not based on meaningful information. In previous work, a custom binary analysis tool was created called @DisCo. In this study, four current ransomware campaigns were analyzed using TLSH fuzzy hashing and the @DisCo tool. While TLSH works on the binary level of the entire program, @DisCo works at an intermediate function level. The results from each analysis method were compared to provide validation between the two as well as introduce a narrative for using combinations of these types of methods for the creation of stronger indicators of compromise.