Malware Lineage in the Wild

TL;DR

This paper introduces a novel malware lineage method that accurately identifies malware versions in the wild, even when samples are packed and polymorphic, enabling better understanding of malware evolution.

Contribution

It presents the first technique to identify malware versions and shared functions directly from in-the-wild samples, overcoming packing and polymorphism challenges.

Findings

Achieved 26x reduction from samples to versions on average.

Successfully applied to 10 malware families.

Evaluated on 13 open-source programs with high accuracy.

Abstract

Malware lineage studies the evolutionary relationships among malware and has important applications for malware analysis. A persistent limitation of prior malware lineage approaches is to consider every input sample a separate malware version. This is problematic since a majority of malware are packed and the packing process produces many polymorphic variants (i.e., executables with different file hash) of the same malware version. Thus, many samples correspond to the same malware version and it is challenging to identify distinct malware versions from polymorphic variants. This problem does not manifest in prior malware lineage approaches because they work on synthetic malware, malware that are not packed, or packed malware for which unpackers are available. In this work, we propose a novel malware lineage approach that works on malware samples collected in the wild. Given a set of malware executables from the same family, for which no source code is available and which may be packed, our approach produces a lineage graph where nodes are versions of the family and edges describe the relationships between versions. To enable our malware lineage approach, we propose the first technique to identify the versions of a malware family and a scalable code indexing technique for determining shared functions between any pair of input samples. We have evaluated the accuracy of our approach on 13 open-source programs and have applied it to produce lineage graphs for 10 popular malware families. Our malware lineage graphs achieve on average a 26 times reduction from number of input samples to number of versions.