Malware News

2021-03-24 16:17:07 VirusTotal Chi2
Hi all,

I'm currently teaching myself the basics of malware analysis for my final project at university and have been working on a script to automate some static analysis. In doing so I've been using the VT API and noticed some objects contain a Chi2 value. I think Chi2 is used to measure the difference in distribution of elements in a dataset, but I am unsure which distributions are being compared here? To be specific, I am referring the the Chi2 value referenced in the PEInfo Sections objects. I appreciate any help :)
Origin144

So I think there are two different uses of the chi squared approximation algorithm here. I'll talk about each of them separately.

For the case of virus total, it looks like they're applying the chi-squared approximation algorithm to the entire file stream. The purpose of this calculation is similar to that of entropy and that it should help you determine whether or not a file is packed, encrypted, encoded, or obfuscated. The calculation is a little bit different than entropy, so It may help some machine learning models to differentiate between various specific packing, encryption, encoding, or obfuscation techniques. I don't have an intuitive sense of what values of chi-squared are more or less indicative of malware like I do entropy.

There was another research article that was posted a while back that used the chi squared approximation calculation to measure distance between the expected PE header fields of legitimate files to the file that's currently being looked at. The assumption being that the further the distance between the two data sets, as represented by the chi squared approximation value, the more likely the file is to be malicious.

From a machine learning perspective, the chi squared approximation almost seems to be a way of doing data compression on the initial feature set. As opposed to having a separate feature for each PE header field in the machine learning model, the features are compressed into a single chi squared approximation calculation and that's what's fed into the model. The purpose of doing that would be to reduce the total number of calculations, and thus time, required to classify an individual file. For real time malware detection, extremely short analysis times are required.

Link: https://link.springer.com/chapter/10.1007/978-3-319-19578-034
*FusionCarcass*

[https://developers.virustotal.com/v3.0/reference#dot\net_assembly](https://developers.virustotal.com/v3.0/reference#dotnetassembly)

>chi2
: <float\> chi-squared test value of stream data.
eclairum115


@malwr Open / Comment

2021-03-24 16:16:15 Cuckoo Sandbox with Docker
Hello guys,

I want to ask if anyone has used cuckoo sandbox in Docker container? I've checked some github repos but cannot find something useful.
serhattsnmz

Just use pip in python
gbdavidx

I've had difficulty getting it working in the past. Dunno if capev2 or panda.re have docker options (panda.re is qemu based so I doubt they do, possibly capev2)
3lpsy

That’s the reason i used cuckoo.cert.ee
Kantry123


@malwr Open / Comment

2021-03-24 14:06:15 How To Find Start Of Actor Code (WinMain) In Malware
AGDCservices


@malwr Open / Comment

2021-03-24 14:05:22 IDA Pro 7.6 released
KindOne

The pricing has always confused me - Yes, its definitely worth that much, but i'd have to make at least the price of this software purely by what the program offers, and that will never be the case for anything I can imagine.

Not to even mention that there is an educational license, but they dont give it to students, that there is a home license which doesnt include the literal reason people use IDA over Ghidra, etc.

I really wonder if dropping a zero on those prices and getting a few thousand new customers would be so terrible.
LeeHide

The situation is still as pathetic as ever for non-commercial users. Cloud-based decompilers are a step backward into the always-online DRM of the 2000s. IDA Home feels less like a legitimate attempt to enter the hobbyist market than an excuse for Ilfak to keep whining when people keep pirating the pro version. "They could have used IDA Home instead!"... yeah, maybe if it wasn't crippleware.
Immediate_Sun_7906


@malwr Open / Comment

2021-03-24 14:04:57 Fuzzing Java code using Jazzer fuzzer (Youtube/Tutorial)
pat_ventuzelo


@malwr Open / Comment

2021-03-24 14:04:34 Audit Node Module folder with YARA rules
geeganage


@malwr Open / Comment

2021-03-24 12:45:48 Trapdoor - A serverless HTTP honeypot/honeytoken
Available in the AWS Serverless Application Repository, Trapdoor is an open-source honeytoken platform with alerting, client fingerprinting and history tracking.

Github: [https://github.com/3CORESec/Trapdoor](https://github.com/3CORESec/Trapdoor)
Blog: https://blog.3coresec.com/2021/03/trapdoor-serverless-http-honeypot.html

I would love feedback from the community in case someone wants to chat about it.
0x229


@malwr Open / Comment

2021-03-24 12:42:03 Black Kingdom ransomware begins appearing on Exchange servers
c0r3dump3d


@malwr Open / Comment

2021-03-14 21:39:13 Scan the whole internet while drinking coffee
cmpxchg16


@malwr Open / Comment

2021-03-14 20:54:56 Exchange ProxyLogon SSRF RCE Vuln POC Mordor data set to validate detections etc.
digicat


@malwr Open / Comment