Analysis of Differences between Versions of Software Executables

Abstract

We studied differences between versions of software by comparing their executable files. We used a large database (“corpus”) of around 2600 digital-forensic copies of secondary storage of computers and digital devices purchased around the world. We extracted families of executable files in the EXE and DLL formats having the same name; we also included in these families other files having the same contents as files in the family but different names. We measured file similarities between files in the same family by finding matches between 8-bit bytes in the two files, and then looking for sequences of unbroken consecutive matches. We developed several kinds of useful visualizations to show file similarities: Two ways to display the bytes that match between two files, and two ways to show the similarities between members of a file family over time. These methods should make it considerably easier to detect fraudulent or malicious software because it will stand out in the visualizations.