[MAEC] Polymorphism Behavior example

classic Classic list List threaded Threaded
2 messages Options
JA
Reply | Threaded
Open this post in threaded view
|

[MAEC] Polymorphism Behavior example

JA
Hi list,

I would be interested if someone have an example of a Polymorphism
Behavior, let's say use of random file names

Meantime, I wonder if a "server-side polymorphism" would be something
to describe in MAEC or in STIX for example?

Thanks
Best regards
Reply | Threaded
Open this post in threaded view
|

Re: [MAEC] Polymorphism Behavior example

Kirillov, Ivan A.
Hi Jerome,

I just added an example to our GitHub repo that demonstrates how MAEC may capture behavior-based polymorphism across variants of the same family [1].

In this case, it's showing how different Zeus v1.x variants use certain hard-coded filenames in the same Behavior. Not quite polymorphism in the strictest sense, but it represents what we're able to capture right now. We'll have to think about how to better model this in the future; at this point we can state that particular CybOX Object property appears random (via appears_random, e.g. [2]), but there's no way to do so for Actions.

As far as server-side polymorphism, at this point I'm inclined to say that it would make the most sense to include as a MAEC Capability vocabulary entry.

Regards,
Ivan Kirillov
MITRE

[1] https://github.com/MAECProject/schemas/blob/master/examples/package_polymorphic_family_example.xml
[2] http://maecproject.github.io/data-model/4.1/cyboxCommon/StringObjectPropertyType/

-----Original Message-----
From: Jerome Athias [mailto:[hidden email]]
Sent: Tuesday, February 17, 2015 3:27 AM
To: maec-discussion-list Malware Attribute Enumeration Discussion
Subject: [MAEC] Polymorphism Behavior example

Hi list,

I would be interested if someone have an example of a Polymorphism
Behavior, let's say use of random file names

Meantime, I wonder if a "server-side polymorphism" would be something
to describe in MAEC or in STIX for example?

Thanks
Best regards