- Jul 27, 2015
Internet of Things (IoT) malware researchers are familiar with the struggle of pivoting from a particular malware sample to another. IoT malware samples are tricky to handle and categorize, as they are usually compiled for multiple architectures. Also, there is a lack of tools and techniques to investigate these types of files.
To help IoT and Linux malware researchers in general to investigate attacks containing Executable and Linkable Format (ELF) files, we created Trend Micro ELF Hash (aka telfhash). Telfhash is an open-source clustering algorithm that helps effectively cluster Linux IoT malware samples. Simply put, it can be understood as a concept similar to import hashing (aka ImpHash) for ELF files, although there are some crucial differences between telfhash and a symbol table hash.
As it deals with ELF files, telfhash is beneficial for IoT research and beyond; this clustering algorithm can also be used for any Linux-related malware research such as analysis for some attacks concerning Docker containers, Windows Subsystem for Linux (WSL), cryptominer, rootkits, and many more. It can also be especially helpful in cases where variants of malware become cross-platform threats.
Trend Micro ELF Hash (aka telfhash) is now officially supported on VirusTotal! Here's a guide on how malware researchers can use this clustering algorithm to pivot from one malware sample to another.