Tool detects software plagiarism, theft and malware outbreaks

A Melbourne security researcher has released a free tool capable of identifying plagiarised software and tracking patterns of malware outbreaks.

The Simseer web service runs software binary-level similarity detection, displays visualisation of program relationships and places a score on the likelihood of plagiarism.

It also could be used to determine variants in malware samples.

The visualisation component of the systems renders an evolutionary tree,” creator Silvio Cesare told SC. “The closer the samples are in the tree, the more related they are.” 

Simseer analysis

Simseer, one of a handful of tools created by the researcher, could spring software theft and could establish if a malware outbreak had links to previous outbreaks.

Users upload a compressed archive of up to 10 Windows or Linux executables which would be assessed for similarities against given thresholds. Similarities could be determined across Linux and Windows platforms.

Simseer will be outfitted with features that allow analysis of process dumps for the upcoming Ruxcon 2012 security conference.

“This will help analysts who have access to live systems and want to know more about the processes running on their machines.”

Malware binary analysis would perform automated unpacking via the Reboot emulator Cesare created as part of his Masters degree at the Central Queensland University in 2008.

“This means it's fast. However, the sacrifice is that it can't unpack all samples.”

It was based on the Malwise malware analysis tool, another creation of the Deakin University phD student. Malwise had successfully identified relationships between malicious software produced higher detection rates than Cesare’s similar work conducted in 2010.

“For example, for the now old Frethem malware family, 144 pairs of samples were identified as variants in 2010. Now Simseer detects 226 pairs. This is a marked improvement, and without compromising speed,” Cesare said.

The average processing time was 0.84 seconds in tests of 15,000 malicious samples, while only 10 false positives were produced in tests of 10,000 malware samples and 1600 benign binaries.

“It's this efficiency and effectiveness that I believe makes Simseer a useful tool to analyse
malware”.

Cesare had previously developed a method, Automated Static Unpacking Using Speculative Decompression, to help unwrap the obfuscation tricks coders use to hide malware.

The researcher will also release a new decompilation and data flow analysis system at the security event. Dubbed Bugwise, the tool was built on the shoulders of Malwise and detected software bugs and vulnerabilities in binaries.

It limited tests without access to source code, it had found a double free vulnerability in a Debian SGID (Set Group ID) binary, plus many environment variable-based buffer overflows in non-privileged programs.

Cesare will present more extensive test findings at the Breakpoint and Ruxcon events, along with a heavily revamped version of popular Linux vulnerability detector Clonewise.

Copyright © SC Magazine, Australia