-1

I know that traditionally a malware signature is a pattern of bytes in a program. While reading Joxean Koret and Elias Bachaalany's "Antivirus Hacker's Handbook" I saw that the authors categorized the use of call-graphs and flow-graphs in malware detection as forms of signature-based detection.

Is it accepted that call-graphs and flow-graphs could be considered signatures? If so then what is the general definition of a malware signature?

schroeder
  • 123,438
  • 55
  • 284
  • 319
chillsauce
  • 345
  • 1
  • 7
  • signature could be anything that might uniquely identify a malware. – yeah_well Sep 04 '19 at 18:17
  • I'm writing an essay on this topic. Is there a good source I can cite for this definition? – chillsauce Sep 04 '19 at 18:33
  • Refer : 'www.emis.de/journals/IJOPCM/files/IJOPCM%28vol.1.2.3.S.08%29.pdf' – nocut Sep 04 '19 at 18:44
  • @nocut This appears to be a good paper, but that definition of signature is not in it. – chillsauce Sep 04 '19 at 18:51
  • The duplicate is as close as you are going to get. The term has no formal definition, but it is far more than a byte string, in general, although you can find evidence of some AV vendors saying that a signature is a byte pattern. – schroeder Sep 04 '19 at 18:55

1 Answers1

1

It is not necessary that a pattern of bytes in the code of malware represent the signature.

A signature in general, helps us identify the malware uniquely based on its characteristics. Below are the characteristics that go into consideration while defining a signature for the malware.

  • Network Based: This includes comparison of network traffic with known IOC's (IPs) that are categorized as Command and Control servers controlling the Botnet(infected hosts). ex: Trojans, APT
  • Host Based: This checks port scans over the network to increase the foot hold by infecting other hosts. ex: Worm
  • Application Based: This checks for presence of strings in a program that can do privilege escalations , cause OS corruption, importing critical DLLs that are in general not required. ex: virus

There is also Heuristic detection, that is used to define the signature of a malware.

Based on the above detection methods, if any of the symptoms are seen by the malware, it is categorized in that major signature type like Worm, Trojan, Heuristic etc.

schroeder
  • 123,438
  • 55
  • 284
  • 319
nocut
  • 186
  • 8
  • Thanks for your answer! Is there a good source I can cite for this definition? I need one because I am writing an essay on the topic. – chillsauce Sep 04 '19 at 18:44