Many malicious programs are just previously-seen programs that have had
some minor changes made to them.  A slightly different variant hardly
qualifies as a stealth attack: being 99\% the same as a known piece of
malware should be a dead giveaway.  This white paper describes a method for
searching a database of programs for a match.  The methods are adapted from
ordinary text search and analysis; the key to making them work is in
selecting the right aspects of the program to compare.  The aspects
compared are features called ``n-perms'' which are constructed from
abstracted, disassembled code.  Two studies show that these methods can be
applied successfully to the problems of matching malware.",