Jump to content
Tuts 4 You
kat3chrome

Why do not include the name of the generated mutexes in the virus signature?

Recommended Posts

kat3chrome

I read one article about the analysis of the some Trojan, there a friend wrote that "hardly anyone needs the name of the mutex." With what it can be connected? It’s just that hashes are usually translated along with the virus by which they can be easily determined, but it seems to me that mutexes are also getting better in this.

Share this post


Link to post
Xyl2k

File hashes are only used to get/recognize a sample that is already know. You can't really do the same with a mutex as there is probably tons of files having the same mutex already and they can be also generated on the fly by the malware so it would be unreliable 'alone'.  If you know already the hash of a file (sha256 preferably) then you don't need more.
Mutexes are only good to find new similar samples, but once again you need to couple that with some other indicators, otherwise you will get many false positives if you rely only on that.

  • Like 1

Share this post


Link to post
kat3chrome
23 hours ago, Xyl2k said:

File hashes are only used to get/recognize a sample that is already know. You can't really do the same with a mutex as there is probably tons of files having the same mutex already and they can be also generated on the fly by the malware so it would be unreliable 'alone'.  If you know already the hash of a file (sha256 preferably) then you don't need more.
Mutexes are only good to find new similar samples, but once again you need to couple that with some other indicators, otherwise you will get many false positives if you rely only on that.

Thanks for so full answer.

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...