Mandiant, Inc.
Determining malware via symbolic function hash analysis

Abstract:

A device for classifying malware including a processor, and a storage device storing a plurality of previously classified symfunc hash values and malware detection logic which attempts to classify malicious code by utilizing binary disassembler logic processed by the processor. Binary disassembler logic can be configured to receive a suspicious binary object and disassemble the binary object into disassembled code data, while symbolic analyzer logic can be configured to receive the disassembled code data and generate symbolic representation data. Generation logic can be configured to receive the symbolic representation data and generate at least one symfunc hash value based on the symbolic representation data. Finally, classification logic can be configured to receive at least one symfunc hash value, compare the symfunc hash value against previously classified symfunc hash values, and determine if the binary object comprises malicious code based on the associated symfunc hash value. The reporting logic can issue an alert reporting the malicious code or initiate the execution of a pre-determined action.