04/15/2023 1

The Similarity Evidence Explorer for Malware

A SCALABLE VISUALIZATION FOR COMPARING MALWARE

ATTRIBUTESRobert Gove

Senior Research Engineer, LABS | FAIRFAX, VA

Meet the Presenter

Robert Gove is a Senior Research Engineer at Invincea Labs. He is a data visualization expert who has recently worked on Cynomix, a web-based community malware triage tool. He has several years of experience designing and implementing novel visualizations to support analysts in answering complicated questions. Robert has a Master of Science in Computer Science from The University of Maryland where his thesis was on evaluating visualization tools for citation network exploration.

Malware Analysis Use Case

SITUATION:Major corporation hacked• Stack of malware to

analyze• Need to compare to other

malware

Scale Is Overwhelming

Need to Compare Malware

comparison 1%s Connected!/fetch.py\cmd.exe__getmainargs_controlfpadd “HKCU”advapi32.dllAllocConsoleAnalogCloseHandlecmd.exeCreatePipeDeleteFileAFileSizeInternetConnectInternetOpenInternetOpenUrlkernel32.dllread failedlstrlenA...

focal sample%s Connected!/fetch.py\cmd.exe__getmainargs_controlfpAccept:*/*add “HKCU”advapi32.dllAnalogCloseHandlecmd.exeCreatePipeDeleteFileAFileSizeInternetConnectInternetOpenInternetOpenUrlkernel32.dllread failedlstrcatA...

comparison 2/install__getmainargs__p__commode_controlfp_strnicmpadd “HKCU”advapi32Analogcd-romcheck serviceCloseServiceHandlecmdpath=CopyPathADeleteFileAInstall serviceHTTPQueryInfoInternetOpenInternetOpenUrlread failedlstrcatA...

comparison n/install__getmainargs__p__fmode_initterm_strcmpiAccept:*/*add “HKCU”advapi32tcpcmdpath=CopyFileAFileSizeInstall serviceHTTPQueryInfoInternetOpenInternetOpenUrlread failurelstrcatAmsvcrt.dllnet start...

…

Existing Malware Viz Tools

compare system calls[Trinius et al, 2009][Saxe et al, 2012]

individual malware[Conit et al, 2008][Quist and Lierbrock, 2009][Domas, 2012]

Similarity Evidence Explorer for Malware

Similarity Histogram

overview of similarity with focal sample

Venn Diagram List

Relationship Matrix

SEEM Demo

[ DEMO ]

try it yourself: www.cynomix.org

SEEM Conclusion

• Large-scale malware comparison–Comparison overviews with histograms–Detailed visualizations of comparisons

compare large group of malware across sets of strings, DLLs, and function

calls

Interested? www.cynomix.org

cynomix@invincea.comSupported by DARPA awardFA8750-10-C-0169 as part of Cyber Genome

Questions?

@Invincea@InvinceaLabs

@rpgove

Learn more about Invincea’s solutions or visit our website at www.invincea.comContact us at 1-855-511-5967