A Better Way, YARA-X, Mach-O Feature Extraction, and Malware Similarity
Contents
Talk Description:
macOS malware analysis is an exciting space, but most blogs on the subject deal with functionality and capability, rather than how to find more similar samples. Analysts are forced to rely on string searching, based on disassembler output or a strings dump; comparatively, executables for Windows have “easy” pivots such as import hashing or rich header artifacts, to find additional samples without much effort.
This talk will explore the initial ideation of developing Mach-O similarity methods, challenges of analysis, and how we engineered these features into YARA-X. To accomplish this, we had to build a Mach-O parser from scratch in Rust to operate at the core of YARA-X. The open-source contributions to YARA-X and the Mach-O module are pivotal, as these features allow any analyst to explore Mach-O similarities in-depth. This talk will introduce some of those easy pivots for Mach-O files, using APT Mach-O families to highlight each feature.
Speakers' …
macOS malware analysis is an exciting space, but most blogs on the subject deal with functionality and capability, rather than how to find more similar samples. Analysts are forced to rely on string searching, based on disassembler output or a strings dump; comparatively, executables for Windows have “easy” pivots such as import hashing or rich header artifacts, to find additional samples without much effort.
This talk will explore the initial ideation of developing Mach-O similarity methods, challenges of analysis, and how we engineered these features into YARA-X. To accomplish this, we had to build a Mach-O parser from scratch in Rust to operate at the core of YARA-X. The open-source contributions to YARA-X and the Mach-O module are pivotal, as these features allow any analyst to explore Mach-O similarities in-depth. This talk will introduce some of those easy pivots for Mach-O files, using APT Mach-O families to highlight each feature.
Speakers' …