research-article

ESCAPE: entropy score analysis of packed executable

Authors:
Smita Naval

Malaviya National Institute of Technology, Jaipur, Rajasthan

Malaviya National Institute of Technology, Jaipur, Rajasthan
View Profile

,
Vijay Laxmi

Malaviya National Institute of Technology, Jaipur, Rajasthan

Malaviya National Institute of Technology, Jaipur, Rajasthan
View Profile

,
M. S. Gaur

Malaviya National Institute of Technology, Jaipur, Rajasthan

Malaviya National Institute of Technology, Jaipur, Rajasthan
View Profile

,
P. Vinod

Malaviya National Institute of Technology, Jaipur, Rajasthan

Malaviya National Institute of Technology, Jaipur, Rajasthan
View Profile

SIN '12: Proceedings of the Fifth International Conference on Security of Information and NetworksOctober 2012Pages 197–200https://doi.org/10.1145/2388576.2388607

Published:25 October 2012Publication History

SIN '12: Proceedings of the Fifth International Conference on Security of Information and Networks

Pages 197–200

ABSTRACT

Malware developers hide the malicious payload of malware binary by employing various obfuscation techniques. One such technique commonly applied is packing. Packer transforms the original bytes so it is difficult to recognize the behaviour of any executable. Although the contents of a file is changed, some byte patterns may be preserved across different packed executables. Malware detectors need to apply unpacking mechanism prior to any detection or analysis to every sample under consideration. In this paper, we have proposed a method that discriminate packed binaries from the native files to minimize the processing time of AV scanners. We have used the blockwise entropy score of byte features of the executable. Experimental results show that the proposed method is capable of identifying packed and native executable which are packed using different malware packers.

References

ASPack. http://www.aspack.com/, Last Accessed October 2011.Google Scholar
GUnPacker. http://leechermods.com, Last Accessed November 2011.Google Scholar
Objdump a Pe Dumping Tool. http://sourceforge.net/projects/objdump, Last Accessed March 2011.Google Scholar
PECompact. http://www.bitsum.com/pecompact.php, Last Accessed October 2011.Google Scholar
UPX. http://upx.sourceforge.net/, Last Accessed October 2011.Google Scholar
VMUnpacker. http://www.woodman.co, Last Accessed November 2011.Google Scholar
S. C. and W. W. The Mathematical Theory of Communication. 1963. Google ScholarDigital Library
A. Dinaburg, P. Royal, M. Sharif, and W. Lee. Ether:Malware Analysis via Hardware Virtualization Extensions. In Proceedings of the 15th ACM conference on Computer and communications security, CCS '08, pages 51--62. ACM, 2008. Google ScholarDigital Library
M. Haahr. An Introduction to Randomness and Random Numbers, www.random.org/essay.html, June 1999.Google Scholar
R. Hamming. Coding and Information Theory. Prentice-Hall, 2 edition, 1986. Google ScholarDigital Library
V. Laxmi, M. S. Gaur, P. Faruki, and S. Naval. PEAL - Packed Executable AnaLysis. In ADCONS, pages 237--243, 2011. Google ScholarDigital Library
R. Lyda and J. Hamrock. Using Entropy Analysis to Find Encrypted and Packed Malware. IEEE Security and Privacy, 5(2):40--45, Mar. 2007. Google ScholarDigital Library
PEiD. Packed Executable IDentification. http://www.peid.info/., Last Accessed January 2012.Google Scholar
R. Perdisci, A. Lanzi, and W. Lee. Mcboost:Boosting Scalability in Malware Collection and Analysis using Statistical Classification of Executables. In Computer Security Applications Conference, 2008. ACSAC 2008. Annual, pages 301--310, dec. 2008. Google ScholarDigital Library
M. Z. Shafiq, S. M. Tabish, F. Mirza, and M. Farooq. PE-Probe: Mining Structural Information to Detect Malicious Executables in Realtime. In Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection RAID '09., pages 121--141, Saint-Malo, France. Springer-Verlag. Google ScholarDigital Library
M. Z. Shafiq, S. M. Tabish, F. Mirza, and M. Farooq. PE-Miner: Mining Structural Information to Detect Malicious Executables in Realtime. In Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection, RAID '09, pages 121--141, Berlin, Heidelberg, 2009. Springer-Verlag. Google ScholarDigital Library
B. T. and M. M. Runtime Packers: The Hidden Problem. In Proceedings of Black Hat USA, Black Hat, 2006.Google Scholar
X. Ugarte-Pedrero, I. Santos, and P. G. Bringas. Structural feature based anomaly detection for packed executable identification. In Proceedings of the 4th international conference on Computational intelligence in security for information systems, CISIS'11, pages 230--237, Berlin, Heidelberg, 2011. Springer-Verlag. Google ScholarDigital Library
VirusTotal. Free Software Downloads and Software Reviews, https://www.virustotal.com/, Last Accessed November 2011.Google Scholar
VXHeavens. Virus Collections (VXheavens). http://vl.netlux.org/vl.php/, Last Accessed August 2011.Google Scholar

Index Terms

ESCAPE: entropy score analysis of packed executable
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security

Recommendations

SPADE: Signature based PAcker DEtection
SecurIT '12: Proceedings of the First International Conference on Security of Internet of Things

Malware is a powerful weapon to hamper various confidential and secure data of a personal computer. Code packing helps the malware authors to create new variants of existing malwares and thus signature based malware detection is defeated. Packing tools ...
Read More
Obfuscation: The Hidden Malware

A cyberwar exists between malware writers and antimalware researchers. At this war's heart rages a weapons race that originated in the 80s with the first computer virus. Obfuscation is one of the latest strategies to camouflage the telltale signs of ...
Read More
Information theoretic method for classification of packed and encoded files
SIN '15: Proceedings of the 8th International Conference on Security of Information and Networks

Malware authors make use of some anti-reverse engineering and obfuscation techniques like packing and encoding in-order to conceal their malicious payload. These techniques succeeded in evading the traditional signature based AV scanners. Packed or ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
SIN '12: Proceedings of the Fifth International Conference on Security of Information and Networks
October 2012
226 pages
ISBN:9781450316682
DOI:10.1145/2388576
General Chairs:
Manoj Singh Gaur
Malaviya National Institute of Technology Jaipur, India
,
Atilla Elçi
Aksaray University, Turkey
,
Oleg Makarevich
Southern Federal University, Taganrog, Rostov-on-Don, Russia
,
Mehmet A. Orgun
Macquarie University, Australia
,
Virendra Singh
Indian Institute of Technology Bombay, India
Copyright © 2012 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 25 October 2012
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
entropy
malware
obfuscation
packing
unpacking
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate102of289submissions,35%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 4
  Total Citations
  View Citations
- 154
  Total Downloads
- Downloads (Last 12 months)1
- Downloads (Last 6 weeks)0
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

ESCAPE: entropy score analysis of packed executable

SIN '12: Proceedings of the Fifth International Conference on Security of Information and Networks

ABSTRACT

References

Cited By

Index Terms

Recommendations

SPADE: Signature based PAcker DEtection

Obfuscation: The Hidden Malware

Information theoretic method for classification of packed and encoded files

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Funding Sources

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF Format

eReader

Digital Edition

Caption

ESCAPE: entropy score analysis of packed executable

SIN '12: Proceedings of the Fifth International Conference on Security of Information and Networks

ABSTRACT

References

Cited By

Index Terms

Recommendations

SPADE: Signature based PAcker DEtection

Obfuscation: The Hidden Malware

Information theoretic method for classification of packed and encoded files

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Funding Sources

Article Metrics

Other Metrics

PDF Format

eReader

Digital Edition

Share this Publication link

Share on Social Media