Pierluigi Paganini June 21, 2017

Cisco Talos intelligence group released an open source framework named BASS that is designed for automatically generating antivirus signatures from malware.

BASS is an automated signature synthesizer, it is able to automatically create signatures from the analysis of a malicious code that belongs to previously generated clusters.

The BASS tool aims to simplify malware analysis and its main goals are to improve resource usage and make malware analysis easier.

BASS is designed to reduce the resource usage of Cisco ClamAV open source antivirus engine, it aims to generate more pattern-based signatures instead of hash-based signatures.

Every day the ClamAV database is integrated with thousands of new signatures and many of them are hash-based. Unfortunately, using hashes to detect a malware allows the identification of single malicious file and not an entire malware cluster.

“BASS (pronounced “bæs”) is a framework designed to automatically generate antivirus signatures from samples belonging to previously generated malware clusters. It is meant to reduce resource usage of ClamAV by producing more pattern-based signatures as opposed to hash-based signatures, and to alleviate the workload of analysts who write pattern-based signatures. The framework is easily scalable thanks to Docker.” reads the description for the Framework published on GitHub.

“Please note that this framework is still considered in the Alpha stage and as a result, it will have some rough edges. As this tool is open source and actively maintained by us, we gladly welcome any feedback from the community on improving the functionality of BASS.”

BASS is written in Python framework implemented as a cluster of Docker containers. It is scalable and implements web services that allow it interacting other tools.

Experts at Cisco Talos explained the BASS framework is able to import malware clusters from various sources. Once the malware cluster is filtered to check that the files correspond to the input expected by BASS framework, the binaries are disassembled using IDA Pro or other disassemblers, then BASS searches the samples for common code that can be used to generate the signature.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – BASS, malware)

[adrotate banner=”13″]