• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Open source

Smart Whitelisting Using Locality Sensitive Hashing
  • Posted on:March 30, 2017 at 3:12 am
  • Posted in:Malware, Open source
  • Author:
    Trend Micro
0

Locality Sensitive Hashing (LSH) is an algorithm known for enabling scalable, approximate nearest neighbor search of objects. LSH enables a precomputation of a hash that can be quickly compared with another hash to ascertain their similarity. A practical application of LSH would be to employ it to optimize data processing and analysis. An example is transportation company Uber, which implemented LSH in the infrastructure that handles much of its data to identify trips with overlapping routes and reduce inconsistencies in GPS data. Trend Micro has been actively researching and publishing reports in this field since 2009. In 2013, we open sourced an implementation of LSH suitable for security solutions: Trend Micro Locality Sensitive Hashing (TLSH).

TLSH is an approach to LSH, a kind of fuzzy hashing that can be employed in machine learning extensions of whitelisting. TLSH can generate hash values which can then be analyzed for similarities. TLSH helps determine if the file is safe to be run on the system based on its similarity to known, legitimate files. Thousands of hashes of different versions of a single application, for instance, can be sorted through and streamlined for comparison and further analysis. Metadata, such as certificates, can then be utilized to confirm if the file is legitimate.

Read More
Tags: Fuzzy HashingLocality Sensitive HashingSimilarity Digestwhitelisting

How Stampado Ransomware Analysis Led To Yara Improvements
  • Posted on:October 3, 2016 at 8:05 am
  • Posted in:Open source, Ransomware
  • Author:
    Fernando Mercês (Senior Threat Researcher)
0

Some time ago, I was asked by a colleague to develop a set of Yara rules to detect samples of the Stampado ransomware family. (Yara is an open-source tool used by security researchers to spot and categorize malware samples according to a set of defined rules.)

Stampado is a relatively new Ransomware-as-a-Service (RaaS) threat that’s been on our radar recently. I had access to only a few samples at the time, and first tried looking for common strings among them but had no luck. I then went to compare the files structures and realized all of them had an interesting section at the end of the file, like the one starting at offset 0xde000 as follows:

Read More
Tags: Open sourceransomwareStampadoYara

A Case of Too Much Information: Ransomware Code Shared Publicly for “Educational Purposes”, Used Maliciously Anyway
  • Posted on:January 13, 2016 at 4:45 am
  • Posted in:Malware, Open source, Ransomware
  • Author:
    Trend Micro
0

Researchers, whether independent or from security vendors, have a responsibility to properly disseminate the information they gathered to help the industry as well as users. Even with the best intentions, improper disclosure of sensitive information can lead to complicated, and sometimes even troublesome scenarios.

Read More
Tags: BrazilHidden TearOpen sourceransomware

GasPot Integrated Into Conpot, Contributing to Open Source ICS Research
  • Posted on:November 11, 2015 at 5:00 am
  • Posted in:Internet of Things, Open source
  • Author:
    Stephen Hilt (Senior Threat Researcher)
0

In August of this year, we presented at Blackhat our paper titled The GasPot Experiment: Unexamined Perils in Using Gas-Tank-Monitoring Systems. GasPot was a honeypot designed to mimic the behavior of the Guardian AST gas-tank-monitoring system. It was designed to look like no other existing honeypot, with each instance being unique to make fingerprinting by attackers impossible. These were deployed within networks located in various countries, to give us a complete picture of the attacks facing gas tank monitoring systems.

Read More
Tags: Conpotgaspot

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Business Email Compromise

  • How can a sophisticated email scam cause more than $2.3 billion in damages to businesses around the world?
    See the numbers behind BEC

Latest Ransomware Posts

  • Large-Scale Ransomware Attack In Progress, Hits Europe Hard
  • AdGholas Malvertising Campaign Employs Astrum Exploit Kit
  • Erebus Resurfaces as Linux Ransomware
  • Analyzing the Fileless, Code-injecting SOREBRECT Ransomware
  • Victims Lost US$1B to Ransomware

Ransomware 101

  • This infographic shows how ransomware has evolved, how big the problem has become, and ways to avoid being a ransomware victim.
    Check the infographic

Popular Posts

  • Erebus Resurfaces as Linux Ransomware
  • Mouse Over, Macro: Spam Run in Europe Uses Hover Action to Deliver Banking Trojan
  • Analyzing the Fileless, Code-injecting SOREBRECT Ransomware
  • Analyzing Xavier: An Information-Stealing Ad Library on Android
  • Large-Scale Ransomware Attack In Progress, Hits Europe Hard

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.