Researchers create automated signature compiler for exploit detection

Status
Not open for further replies.

Petrovic

Level 64
Thread author
Verified
Honorary Member
Top Poster
Well-known
Apr 25, 2013
5,354
A trio of researchers from Microsoft and University of Erlangen-Nuremberg have created Kizzle, a compiler for generating signatures for detecting exploit kits delivering JavaScript to browsers.

The problem of creating accurate malware and exploit signatures fast is an old one, and this new tool is apparently able to it within hours of their discovery. What's more, the Kizzle does it automatically, and these automatically created signatures are even better that hand-written ones, they researchers found.

"Our approach will reduce the imbalance between the attacker who often only needs to make cosmetic changes to their malware to thwart detection, and the defender, whose role requires much manual effort," they noted in their paper.

By analyzing code found in exploit kits, the researchers noted that while the actual JavaScript delivered by kits varies greatly, the code - after being sufficiently unpacked and deobfuscated - shows much less variety.

The fact that exploit kit authors often reuse much of the code from old kit versions in newer versions allows Kizzle to quickly respond to superficial but frequent changes in exploit kits.

"At the heart of Kizzle is a malware clustering approach that matches new malware clusters with previously-recognized malicious clusters by understanding the process of malware unpacking," they explained. These clusters are the basis on which Kizzle creates AV signatures.

The tools is designed to run in the cloud, and is capable of analyzing large volumes of streaming data. Also, to be clear, Kizzle focuses on making signatures for exploit kits only.

However promising their results seem to be, the researchers added that their work and additional testing has just begun, that their current results are limited, and that there are a number of issues to be solved and parameter values to be adjusted.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top