ABSTRACT
Malware developers hide the malicious payload of malware binary by employing various obfuscation techniques. One such technique commonly applied is packing. Packer transforms the original bytes so it is difficult to recognize the behaviour of any executable. Although the contents of a file is changed, some byte patterns may be preserved across different packed executables. Malware detectors need to apply unpacking mechanism prior to any detection or analysis to every sample under consideration. In this paper, we have proposed a method that discriminate packed binaries from the native files to minimize the processing time of AV scanners. We have used the blockwise entropy score of byte features of the executable. Experimental results show that the proposed method is capable of identifying packed and native executable which are packed using different malware packers.
- ASPack. http://www.aspack.com/, Last Accessed October 2011.Google Scholar
- GUnPacker. http://leechermods.com, Last Accessed November 2011.Google Scholar
- Objdump a Pe Dumping Tool. http://sourceforge.net/projects/objdump, Last Accessed March 2011.Google Scholar
- PECompact. http://www.bitsum.com/pecompact.php, Last Accessed October 2011.Google Scholar
- UPX. http://upx.sourceforge.net/, Last Accessed October 2011.Google Scholar
- VMUnpacker. http://www.woodman.co, Last Accessed November 2011.Google Scholar
- S. C. and W. W. The Mathematical Theory of Communication. 1963. Google ScholarDigital Library
- A. Dinaburg, P. Royal, M. Sharif, and W. Lee. Ether:Malware Analysis via Hardware Virtualization Extensions. In Proceedings of the 15th ACM conference on Computer and communications security, CCS '08, pages 51--62. ACM, 2008. Google ScholarDigital Library
- M. Haahr. An Introduction to Randomness and Random Numbers, www.random.org/essay.html, June 1999.Google Scholar
- R. Hamming. Coding and Information Theory. Prentice-Hall, 2 edition, 1986. Google ScholarDigital Library
- V. Laxmi, M. S. Gaur, P. Faruki, and S. Naval. PEAL - Packed Executable AnaLysis. In ADCONS, pages 237--243, 2011. Google ScholarDigital Library
- R. Lyda and J. Hamrock. Using Entropy Analysis to Find Encrypted and Packed Malware. IEEE Security and Privacy, 5(2):40--45, Mar. 2007. Google ScholarDigital Library
- PEiD. Packed Executable IDentification. http://www.peid.info/., Last Accessed January 2012.Google Scholar
- R. Perdisci, A. Lanzi, and W. Lee. Mcboost:Boosting Scalability in Malware Collection and Analysis using Statistical Classification of Executables. In Computer Security Applications Conference, 2008. ACSAC 2008. Annual, pages 301--310, dec. 2008. Google ScholarDigital Library
- M. Z. Shafiq, S. M. Tabish, F. Mirza, and M. Farooq. PE-Probe: Mining Structural Information to Detect Malicious Executables in Realtime. In Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection RAID '09., pages 121--141, Saint-Malo, France. Springer-Verlag. Google ScholarDigital Library
- M. Z. Shafiq, S. M. Tabish, F. Mirza, and M. Farooq. PE-Miner: Mining Structural Information to Detect Malicious Executables in Realtime. In Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection, RAID '09, pages 121--141, Berlin, Heidelberg, 2009. Springer-Verlag. Google ScholarDigital Library
- B. T. and M. M. Runtime Packers: The Hidden Problem. In Proceedings of Black Hat USA, Black Hat, 2006.Google Scholar
- X. Ugarte-Pedrero, I. Santos, and P. G. Bringas. Structural feature based anomaly detection for packed executable identification. In Proceedings of the 4th international conference on Computational intelligence in security for information systems, CISIS'11, pages 230--237, Berlin, Heidelberg, 2011. Springer-Verlag. Google ScholarDigital Library
- VirusTotal. Free Software Downloads and Software Reviews, https://www.virustotal.com/, Last Accessed November 2011.Google Scholar
- VXHeavens. Virus Collections (VXheavens). http://vl.netlux.org/vl.php/, Last Accessed August 2011.Google Scholar
Index Terms
- ESCAPE: entropy score analysis of packed executable
Recommendations
SPADE: Signature based PAcker DEtection
SecurIT '12: Proceedings of the First International Conference on Security of Internet of ThingsMalware is a powerful weapon to hamper various confidential and secure data of a personal computer. Code packing helps the malware authors to create new variants of existing malwares and thus signature based malware detection is defeated. Packing tools ...
Obfuscation: The Hidden Malware
A cyberwar exists between malware writers and antimalware researchers. At this war's heart rages a weapons race that originated in the 80s with the first computer virus. Obfuscation is one of the latest strategies to camouflage the telltale signs of ...
Information theoretic method for classification of packed and encoded files
SIN '15: Proceedings of the 8th International Conference on Security of Information and NetworksMalware authors make use of some anti-reverse engineering and obfuscation techniques like packing and encoding in-order to conceal their malicious payload. These techniques succeeded in evading the traditional signature based AV scanners. Packed or ...
Comments