(LiveHacking.Com) – Adobe has released a new command line tool for quick malware triage. Known as the “Adobe Malware Classifier“, this Python based tool was developed by Adobe’s Product Security Incident Response Team (PSIRT) who used it as part of the initial response to security incidents.
“I’ve since decided to make this tool available to other first responders (malware analysts, IT admins and security researchers of any stripe) as an open-source tool, since you might find it equally helpful,” said its creator, Karthik Raman.
The tool classifies Windows executables (EXEs) and dynamic link libraries (DLLs) into one of three categories: “0” for clean, “1” for malicious and “UNKNOWN”. To do this it uses machine learning algorithms that process seven key features extracted from a binary and then, based on one or all of four classifiers, and presents its classification results. Specifically, the tool was developed using models resultant from running the J48, J48 Graft, PART, and Ridor machine-learning algorithms on a data set of approximately 100,000 malicious programs and 16,000 clean programs.
To test this tool I downloaded the file onto a Ubuntu 10.04 machine. To run, it needs some additional Python modules which I installed:
sudo apt-get install python-pefile sudo apt-get install python-argparse
The tool supports a few command line options:
usage: AdobeMalwareClassifier.py [-h] [-f filename] [-n model] [-v [verbose]] Classify an unknown binary as MALWARE or CLEAN. optional arguments: -h, --help show this help message and exit -f filename The name of the input file -n model The ordinal for model classifier: 0=all (default) | 1=J48 | 2=J48Graft | 3=PART | 4=Ridor -v [verbose] Dump the PE data being processed
I tested the tool on several different types of .exe including 7-Zip, VLC and the Java runtime:
- All the .exe files test returned UKNOWN except for the Java runtime.
- The Java runtime returned MALWARE!
- The tool can’t read .msi files
Although this looks like interesting research it really can only be seen as a triage tool. Maybe if I had tested it against some actual malware I might have got some better results.