Stéfan Le Berre
Last known affiliation: Exatrack
Bio: Stéfan Le Berre started working on malware comparison in 2012 at the French Agence Nationale de la Sécurité des Systèmes d’Informations (ANSSI), and had then invented the Machoc algorithm to allow an algorithmic comparison of binaries. He has since created his company Exatrack in 2018, where he continues to hunt adversaries using forensics and malware analysis. He is also actively working on rootkit identification on Windows, with among other things the publication of the Kdrill tool in 2024 (https://github.com/ExaTrack/Kdrill).
10 Years of Large-Scale Malware Comparison: Going Deeper With Machoke
Tristan Pourcelot 🗣 | Stéfan Le Berre 🗣
Tristan Pourcelot 🗣 | Stéfan Le Berre 🗣
Abstract (click to view)
As threat hunters, we are often faced with the problems of analyzing many malicious binaries, related or not. Some of the problems encountered are ranging from classifying a sam-
ple to a known family, identifying common functions or used libraries, to finding a unique function across a large set of samples. Building on our experience with Machoc, a CFG matching algorithm published in 2016, our aim was to solve these problems while scaling our malware collection to tens of thousands of samples.
We will present the techniques we developped in order to scale Machoc comparison, and also an overview of a new algorithm we developped to identify common functions in a large dataset.
