| 摘要 |
A computer-implemented method for identifying malware may include (1) determining, for multiple commands within bytecode associated with a malware program, whether each command constitutes an invocation command, (2) filtering, based on the determination, invocation commands from the bytecode, (3) adding, for each invocation command filtered from the bytecode, an opcode, a format code, and a function prototype to a collection of opcodes, format codes, and function prototypes, (4) generating a digital fingerprint of the collection including the opcode, the format code, and the function prototype for each invocation command filtered from the bytecode, and (5) performing, by a computer security system, a remedial action to protect a user in response to detecting the presence of a variant of the malware program by determining that the digital fingerprint matches a candidate instance of bytecode under evaluation. Various other methods, systems, and computer-readable media are also disclosed. |
| 主权项 |
1. A computer-implemented method for identifying malware, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
determining, for multiple commands within bytecode associated with a malware program, whether each command constitutes an invocation command; filtering, based on the determination, invocation commands from the bytecode; adding, for each invocation command filtered from the bytecode, a concatenation comprising an opcode, a format code, and a function prototype to a collection of concatenations comprising opcodes, format codes, and function prototypes; generating at least two digital fingerprints based on the collection of the concatenations comprising the opcode, the format code, and the function prototype for each invocation command filtered from the bytecode, the at least two digital fingerprints comprising at least two of:
a digital fingerprint of the collection after executing an ordering algorithm on the collection;a digital fingerprint of the collection without executing the ordering algorithm;a digital fingerprint of a prefix of the collection; anda digital fingerprint of a suffix of the collection; and performing, by a computer security system, a remedial action to protect a user in response to detecting the presence of a variant of the malware program by determining that a candidate instance of bytecode under evaluation matches at least one of the at least two generated digital fingerprints. |
