Malwares written in Go is increasing every year. Go's cross-platform nature makes it an opportune language for attackers who wish to target multiple platforms. On the other hand, the statically linked libraries make it difficult to distinguish between user functions and libraries, making it difficult for analysts to analyze. This situation has increased the demand for Go malware classification and exploration.
In this talk, we will demonstrate the feasibility of computing similarity and classification of Go malware using a newly proposed method called gimpfuzzy. We have implemented "gimpfuzzy", which incorporates Fuzzy Hashing into the existing gimphash method. In this talk, we will verify the discrimination rate of the classification using the proposed method and confirm the validity of the proposed method by discussing some examples from the classified results. We will also discuss issues in Go-malware classification.
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy” for Go Malware Classification by Sawabe Amakasu and Nomura
1. Who is the Mal-Gopher?
- Implementation and Evaluation of "gimpfuzzy" for Go Malware
Classification
Yuta Sawabe / Nobuyuki Amakasu / Kazuya Nomura
NTT Security Holdings