Monday, 3 February 2014

VirusTotal += imphash

Recently Mandiant blogged about a feature they call imphash, in Mandiant's own words:
One unique way that Mandiant tracks specific threat groups' backdoors is to track portable executable (PE) imports. Imports are the functions that a piece of software (in this case, the backdoor) calls from other files (typically various DLLs that provide functionality to the Windows operating system). To track these imports, Mandiant creates a hash based on library/API names and their specific order within the executable. We refer to this convention as an "imphash" (for "import hash"). Because of the way a PE's import table is generated (and therefore how its imphash is calculated), we can use the imphash value to identify related malware samples. We can also use it to search for new, similar samples that the same threat group may have created and used.
We are excited to announce that VirusTotal reports for Portable Executables now show this hash in the additional information tab:


When considering an individual report, this property might not be very useful on its own, however, if you happen to have an API key with additional information privileges you will also find the hash embedded in the JSON response. This means you can massively feed your own local database setup with the imphash and implement your own similarity search feature for your malware collection.

VirusTotal Intelligence users can already perform searches through our dataset according to this new property.

No comments:

Post a Comment