survey

File Packing from the Malware Perspective: Techniques, Analysis Approaches, and Directions for Enhancements

Authors:
Trivikram Muralidharan

Malware Lab, Cyber Security Research Center, Ben-Gurion University of the Negev, Beer-Sheva, Israel and Department of Industrial Engineering and Management, Ben-Gurion University of the Negev, Beer-Sheva, Israel

Malware Lab, Cyber Security Research Center, Ben-Gurion University of the Negev, Beer-Sheva, Israel and Department of Industrial Engineering and Management, Ben-Gurion University of the Negev, Beer-Sheva, Israel

0000-0003-2773-0030
View Profile

,
Aviad Cohen

Malware Lab, Cyber Security Research Center, Ben-Gurion University of the Negev, Beer-Sheva, Israel

Malware Lab, Cyber Security Research Center, Ben-Gurion University of the Negev, Beer-Sheva, Israel

0000-0001-9976-0525
View Profile

,
Noa Gerson

Malware Lab, Cyber Security Research Center, Ben-Gurion University of the Negev, Beer-Sheva, Israel

Malware Lab, Cyber Security Research Center, Ben-Gurion University of the Negev, Beer-Sheva, Israel

0000-0002-3102-2726
View Profile

,
Nir Nissim

Malware Lab, Cyber Security Research Center, Ben-Gurion University of the Negev, Beer-Sheva, Israel and Department of Industrial Engineering and Management, Ben-Gurion University of the Negev, Beer-Sheva, Israel

Malware Lab, Cyber Security Research Center, Ben-Gurion University of the Negev, Beer-Sheva, Israel and Department of Industrial Engineering and Management, Ben-Gurion University of the Negev, Beer-Sheva, Israel

0000-0003-0652-8861
View Profile

Authors Info & Claims

ACM Computing Surveys Volume 55 Issue 5Article No.: 108pp 1–45https://doi.org/10.1145/3530810

Published:03 December 2022Publication History

ACM Computing Surveys

Abstract

With the growing sophistication of malware, the need to devise improved malware detection schemes is crucial. The packing of executable files, which is one of the most common techniques for code protection, has been repurposed for code obfuscation by malware authors as a means of evading malware detectors (mainly static analysis-based detectors). This paper provides statistics on the use of packers based on an extensive analysis of 24,000 PE files (both malicious and benign files) for the past 10 years, which allowed us to observe trends in packing use during that time and showed that packing is still widely used in malware. This paper then surveys 23 methods proposed in academic research for the detection and classification of packed portable executable (PE) files and highlights various trends in malware packing. The paper highlights the differences between the methods and their abilities to detect and identify various aspects of packing. A taxonomy is presented, classifying the methods as static, dynamic, and hybrid analysis-based methods. The paper also sheds light on the increasing role of machine learning methods in the development of modern packing detection methods. We analyzed and mapped the different packing methods and identified which of them can be countered by the detection methods surveyed in this paper.

REFERENCES

[1] Bat-Erdene M., Kim T., Li H., and Lee H.. 2013. Dynamic classification of packing algorithms for inspecting executables using entropy analysis. Proc. 2013 8th Int. Conf. Malicious Unwanted Softw. The Am. MALWARE 2013. 19–26.Google Scholar
[2] Al-Zanei M. M. K.. 2014. Generic packing detection using several complexity analysis for accurate malware detection 5, 1 (2014), 7–14.Google Scholar
[3] Sun L., Versteeg S., Boztaş S., and Yann T.. 2010. Pattern Recognition Techniques for the Classification of Malware Packers. Springer, Berlin, 2010, 370–390.Google Scholar
[4] Morgenstern D.-I. M. and Pilz H.. Useful and useless statistics about viruses and anti-virus programs.Google Scholar
[5] Ferrie Peter, Senior Anti-virus Researcher, and Microsoft Corporation. 2008. Anti-unpacker tricks. Current (2008).Google Scholar
[6] Bat-Erdene M., Kim T., Park H., and Lee H.. 2017. Packer detection for multi-layer executables using entropy analysis. Entropy 19, 3 (2017), 1–18.Google ScholarCross Ref
[7] Yan W., Zhang Z., and Ansari N.. 2008. Revealing packed malware. IEEE Secur. Priv. Mag. 6, 5 (2008), 65–69.Google ScholarDigital Library
[8] Kim M.-J. et al. 2010. Design and performance evaluation of binary code packing for protecting embedded software against reverse engineering. In 2010 13th IEEE International Symposium on Object/Component/Service-Oriented Real-Time Distributed Computing 2010, 80–86.Google ScholarDigital Library
[9] Choi Y., Kim I., Oh J., and Ryou J.. 2008. PE file header analysis-based packed PE file detection technique (PHAD). In International Symposium on Computer Science and its Applications 2008. 28–31.Google ScholarDigital Library
[10] Perdisci R., Lanzi A., and Lee W.. 2008. Classification of packed executables for accurate computer virus detection. Pattern Recognit. Lett. 29, 14 (2008), 1941–1946.Google ScholarDigital Library
[11] PE Format | Microsoft Docs. [Online]. Available: https://docs.microsoft.com/en-us/windows/desktop/debug/pe-format. [Accessed: 04-Feb-2021].Google Scholar
[12] Devi D. and Nandi S.. 2012. PE file features in detection of packed executables. Entropy 4, 3 (2012), 476–478.Google Scholar
[13] Sikorski M. and Honig A.. 2012. Practical malware analysis: The hands-on guide to dissecting malicious software. No Starch Press.Google Scholar
[14] Sun L., Versteeg S., Boztaş S., and Yann T.. 2010, July. Pattern recognition techniques for the classification of malware packers. In Australasian Conference on Information Security and Privacy. Springer, Berlin, Heidelberg, 370–390.Google Scholar
[15] Abhi Gupta D. M. and Arya Akshi S.. 2018. Hashing Base Ed Encryption N And Anti-Deb Bugger Suppor Rt For Packing Multiple Fi Es Into Sing E Executable (2018), 96–99.Google Scholar
[16] “I Executable and Linkable Format (ELF).”Google Scholar
[17] Muhammad K. and Zahid H.. 2015. ITEE Journal. ITEE J. 4, 4 (2015), 1–5.Google Scholar
[18] Hassnain M. and Abbas A.. 2017. ITEE Journal. Int. J. Inf. Technol. Electr. Eng. 6, 1 (2017), 10–16.Google Scholar
[19] Bat-Erdene M., Park H., Li H., Lee H., and Choi M.-S.. 2017. Entropy analysis to classify unknown packing algorithms for malware detection. Int. J. Inf. Secur. 16, 3 (2017), 227–248.Google ScholarDigital Library
[20] Li B., Zhang Y., Li J., Yang W., and Gu D.. 2018. AppSpear: Automating the hidden-code extraction and reassembling of packed Android malware. J. Syst. Softw. 140 (2018), 3–16.Google ScholarCross Ref
[21] Lyda R. and Hamrock J.. 2007. Using entropy analysis to find encrypted and packed malware. IEEE Secur. Priv. Mag. 5, 2 (2007), 40–45.Google ScholarDigital Library
[22] Jacob G., Comparetti P. M., Neugschwandtner M., Kruegel C., and Vigna G.. 2013. A static, packer-agnostic filter to detect similar malware samples. In Proceedings of the 9th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer-Verlag, 2013, 102–122.Google Scholar
[23] Zhang J., Zhang K., Qin Z., Yin H., and Wu Q.. 2018. Sensitive system calls based packed malware variants detection using principal component initialized multilayers neural networks. 1–13.Google Scholar
[24] Entropy and the distinctive signs of packed PE files. | NTinfo. [Online]. Available: http://n10info.blogspot.com/2014/06/entropy-and-distinctive-signs-of-packed.html. [Accessed: 04-Feb-2021].Google Scholar
[25] Good I. J., Gover T. N., and Mitchell G. J.. 1970. Exact distributions for X 2 and for the likelihood-ratio statistic for the equiprobable multinomial distribution. 1970.Google Scholar
[26] Cheng B. et al. 2018. Towards paving the way for large-scale windows malware analysis. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security - CCS ’18. 395–411.Google Scholar
[27] Ugarte-Pedrero X., Balzarotti D., Santos I., and Bringas P. G.. 2015. SoK: Deep packer inspection: A longitudinal study of the complexity of run-time packers. In 2015 IEEE Symposium on Security and Privacy. 659–673.Google ScholarDigital Library
[28] Bonfante G. et al. 2015. CoDisasm: Medium scale concatic disassembly of self-modifying binaries with overlapping instructions. 2015.Google Scholar
[29] Bueno D., Compton K. J., Sakallah K. A., and Bailey M.. Detecting traditional packers, decisively.Google Scholar
[30] Cesare S., Xiang Y., and Zhou W.. 2013. Malwise—an effective and efficient classification system for packed and polymorphic malware. IEEE Trans. Comput. 62, 6 (2013), 1193–1206.Google ScholarDigital Library
[31] Li Ang, Zhang Yue, Zhang Junxing, and Zhu Gang. 2015. A token strengthened encryption packer to prevent reverse engineering PE files. In 2015 International Conference on Estimation, Detection and Information Fusion (ICEDIF'15). 307–312.Google Scholar
[32] Bilge L., Lanzi A., and Balzarotti D.. Thwarting real-time dynamic unpacking.Google Scholar
[33] Křoustek J., Matula P., Kolář D., and Zavoral M.. Advanced preprocessing of binary executable files and its usage in retargetable decompilation.Google Scholar
[34] Durfina L., Kroustek J., and Zemek P.. 2013. PsybOt malware: A step-by-step decompilation case study. In 2013 20th Working Conference on Reverse Engineering (WCRE'13). 449–456.Google ScholarCross Ref
[35] Levine J. R.. 2000. Linkers and Loaders. Morgan Kaufmann.Google Scholar
[36] Cozzi E., Graziano M., Fratantonio Y., and Balzarotti D.. 2018. Understanding Linux malware. Proc. - IEEE Symp. Secur. Priv. 2018-May, 161–175.Google Scholar
[37] Roundy K. A. and Miller B. P.. 2013. Binary-code obfuscations in prevalent packer tools. ACM Comput. Surv. 46, 1 (2013), 1–32.Google ScholarDigital Library
[38] UPX: the Ultimate Packer for eXecutables - Homepage. [Online]. Available: https://upx.github.io/. [Accessed: 10-Feb-2021].Google Scholar
[39] Menéndez H. D., Bhattacharya S., Clark D., and Barr E. T.. 2019. The arms race: Adversarial search defeats entropy used to detect malware. Expert Syst. Appl. 118 (2019), 246–260.Google ScholarDigital Library
[40] Manual Unpacking of UPX Packed Binary File - www.SecurityXploded.com. [Online]. Available: https://securityxploded.com/unpackingupx.php. [Accessed: 10-Feb-2021].Google Scholar
[41] Unpacking, Reversing, Patching. [Online]. Available: https://resources.infosecinstitute.com/unpacking-reversing-patching/#gref. [Accessed: 11-Feb-2021].Google Scholar
[42] Oreans Technology: Software Security Defined. [Online]. Available: https://www.oreans.com/themida.php. [Accessed: 11-Feb-2021].Google Scholar
[43] Coogan K., Debray S., Kaochar T., and Townsend G.. 2009. Automatic static unpacking of malware binaries. In 2009 16th Working Conference on Reverse Engineering 2009, 167–176.Google ScholarDigital Library
[44] Osaghae E. O.. 2016. Classifying packed programs as malicious software detected 2016.Google Scholar
[45] Bohne L.. 2009. Pandora's Bochs: Automatic Unpacking of Malware 121, 2009.Google Scholar
[46] Guo F., Ferrie P., and Chiueh T.. 2008. A study of the packer problem and its solutions. In Recent Advances in Intrusion Detection. Berlin, Springer, Berlin, 2008, 98–115.Google ScholarDigital Library
[47] Yu S.-C. and Li Y.-C.. 2009. A unpacking and reconstruction system-AGUnpacker. In 2009 International Symposium on Computer Network and Multimedia Technology. 1–4.Google Scholar
[48] Gagnon M. N., Taylor S., and Ghosh A. K.. 2007. Software protection through anti-debugging. IEEE Secur. Priv. Mag. 5, 3 (2007), 82–84.Google ScholarDigital Library
[49] Ferrie P., Researcher S. A., and Corporation M.. 2008. Anti-unpacker tricks. Current. 1–25.Google Scholar
[50] Liţă C. V., Cosovan D., and Gavriluţ D.. 2018. Anti-emulation trends in modern packers: A survey on the evolution of anti-emulation techniques in UPA packers. J. Comput. Virol. Hacking Tech. 14, 2 (2018), 107–126.Google ScholarCross Ref
[51] Carrera E. and Erdélyi G.. 2004. Digital genome mapping. 2004.Google Scholar
[52] Hu X., Chiueh T.-C., and Shin K. G.. 2009. Large-Scale Malware Indexing Using Function-Call Graphs * †. 2009.Google Scholar
[53] Karnik A., Goswami S., and Guha R.. 2007. Detecting obfuscated viruses using cosine similarity analysis. In First Asia International Conference on Modelling & Simulation (AMS’07). 165–170.Google ScholarDigital Library
[54] Walenstein A., Venable M., Hayes M., Thompson C., and Lakhotia A.. Exploiting similarity between variants to defeat malware “Vilo” method for comparing and searching binary programs.Google Scholar
[55] Fleshman W., Raff E., Zak R., Mclean M., and Nicholas C.. Static malware detection & subterfuge: Quantifying the robustness of machine learning and current anti-virus.Google Scholar
[56] Abou-Assaleh T., Cercone N., Keselj V., and Sweidan R.. 2004. N-gram-based detection of new malicious code. Proc. 28th Annu. Int. Comput. Softw. Appl. Conf. 2004. COMPSAC 2004 2 (2004), 41–42.Google Scholar
[57] Wicherski G.. 2009. peHash: A novel approach to fast malware clustering. 2nd USENIX Work. Large-Scale Exploit. Emergent Threat. 2009.Google Scholar
[58] Chum O., Philbin J., and Zisserman A.. 2008. Near duplicate image detection: Min-Hash and tf-idf weighting. In Proceedings of the British Machine Vision Conference 2008, 50, 1–50.10.Google ScholarCross Ref
[59] Jin W. et al. 2012. Binary function clustering using semantic hashes. In Proceedings - 2012 11th International Conference on Machine Learning and Applications, ICMLA'2012, 1, 386–391.Google Scholar
[60] Crussell J., Gibler C., and Chen H.. 2013. Scalable semantics-based detection of similar Android applications. In Esorics 2013, 182–199.Google Scholar
[61] Akusok A., Miche Y., Hegedus J., Nian R., and Lendasse A.. 2014. A two-stage methodology using K-NN and false-positive minimizing ELM for nominal data classification. Cognit. Comput. 6, 3 (2014), 432–445.Google ScholarCross Ref
[62] Tamersoy A., Roundy K., and Chau D. H.. 2014. Guilt by association. Proc. 20th ACM SIGKDD Int. Conf. Knowl. Discov. Data Min. - KDD’14. 1524–1533.Google ScholarDigital Library
[63] Oprisa C., Checiches M., and Nandrean A.. 2014. Locality-sensitive hashing optimizations for fast malware clustering. In Proceedings - 2014 IEEE 10th International Conference on Intelligent Computer Communication and Processing, ICCP'2014. 97–104.Google Scholar
[64] Statistical Mechanics – R. K. Pathria, Paul D. Beale - Google ספרים.” [Online]. Available: https://books.google.co.il/books?id=KdbJJAXQ-RsC&printsec=frontcover&redir_esc=y&hl=iw#v=onepage&q&f=false. [Accessed: 11-Feb-2021].Google Scholar
[65] Santos I., Ugarte-Pedrero X., Sanz B., Laorden C., and Bringas P. G.. 2011. Collective classification for packed executable identification. In Proceedings of the 8th Annual Collaboration, Electronic Messaging, Anti-Abuse and Spam Conference on - CEAS’11. 23–30.Google ScholarDigital Library
[66] Kolbitsch C., Comparetti P. M., Kruegel C., Kirda E., Zhou X., and Wang X.. Effective and efficient malware detection at the end host.Google Scholar
[67] Tzermias Z., Sykiotakis G., Polychronakis M., and Markatos E. P.. 2011. Combining Static and Dynamic Analysis for the Detection of Malicious Documents. 2011.Google Scholar
[68] Maiorca D., Corona I., and Giacinto G.. 2013. Looking at the Bag is not Enough to Find the Bomb: An Evasion of Structural Methods for Malicious PDF Files Detection. 2013.Google Scholar
[69] Schmitt F., Gassen J., and Gerhards-Padilla E.. 2012. PDF scrutinizer: Detecting Javascript-based attacks in PDF documents. In 2012 Tenth Annual International Conference on Privacy, Security and Trust. 104–111.Google ScholarDigital Library
[70] Lu X., Zhuge J., Wang R., Cao Y., and Chen Y.. 2013. De-obfuscation and detection of malicious PDF files with high accuracy. In 2013 46th Hawaii International Conference on System Sciences. 4890–4899.Google ScholarDigital Library
[71] Royal P., Halpin M., Dagon D., Edmonds R., and Lee W.. 2006. PolyUnpack: Automating the hidden-code extraction of unpack-executing malware. In 2006 22nd Annual Computer Security Applications Conference (ACSAC’06). 289–300.Google ScholarDigital Library
[72] Cohen A. and Nissim N.. 2018. Trusted detection of ransomware in a private cloud using machine learning methods leveraging meta-features from volatile memory. Expert Syst. Appl. 102, 158–178.Google ScholarDigital Library
[73] Nissim N., Lapidot Y., Cohen A., and Elovici Y.. 2018. Trusted system-calls analysis methodology aimed at detection of compromised virtual machines using sequential mining. Knowledge-Based Syst. 153, (2018), 147–175.Google ScholarDigital Library
[74] Nissim N., Moskovitch R., Rokach L., and Elovici Y.. 2014. Novel active learning methods for enhanced PC malware detection in Windows OS. Expert Syst. Appl. 41, 13 (2014), 5843–5857.Google ScholarCross Ref
[75] Nissim N., Moskovitch R., Rokach L., and Elovici Y.. 2012. Detecting unknown computer worm activity via support vector machines and active learning. Pattern Anal. Appl. 15, 4 (2012), 459–475.Google ScholarDigital Library
[76] Cohen A., Nissim N., Rokach L., and Elovici Y.. 2016. SFEM: Structural feature extraction methodology for the detection of malicious office documents using machine learning methods. Expert Syst. Appl. 63 (2016), 324–343.Google ScholarDigital Library
[77] Nissim N., Cohen A., Glezer C., and Elovici Y.. 2015. Detection of malicious PDF files and directions for enhancements: A state-of-the art survey. Comput. Secur. 48 (2015), 246–266.Google ScholarDigital Library
[78] Nissim N., Cohen A., and Elovici Y.. 2017. ALDOCX: Detection of unknown malicious microsoft office documents using designated active learning methods based on new structural feature extraction methodology. IEEE Trans. Inf. Forensics Secur. 12, 3 (2017), 631–646.Google ScholarDigital Library
[79] Nissim N. et al. 2016. Keeping pace with the creation of new malicious PDF files using an active-learning based detection framework. Secur. Inform. 5, 1 (2016) 1.Google ScholarCross Ref
[80] Nissim N., Cohen A., and Elovici Y.. 2016. Boosting the detection of malicious documents using designated active learning methods. Proc. - 2015 IEEE 14th Int. Conf. Mach. Learn. Appl. ICMLA 2015. 760–765.Google Scholar
[81] Cohen A., Nissim N., and Elovici Y.. 2018. Novel set of general descriptive features for enhanced detection of malicious emails using machine learning methods. Expert Syst. Appl. 110 (2018), 143–169.Google ScholarCross Ref
[82] Ebringer T., Sun L., and Boztas S.. 2008. A fast randomness test that preserves local detail. Virus Bull. (2008), 34–42.Google Scholar
[83] “PE iDentifier (PEiD) 0.95 /Binary Analysis/Editing/Downloads - Tuts 4 You.” [Online]. Available: https://tuts4you.com/e107_plugins/download/download.php?view.398. [Accessed: 11-Feb-2021].Google Scholar
[84] Kang M. G., Poosankam P., and Yin H.. 2007. Renovo. In Proceedings of the 2007 ACM Workshop on Recurring Malcode - WORM’07. 46.Google ScholarDigital Library
[85] “Exeinfo PE 0.0.5.1 - Download.” [Online]. Available: https://exeinfo-pe.en.uptodown.com/windows. [Accessed: 11-Feb-2021].Google Scholar
[86] “Exeinfo PE by A.S.L - packer - compression detector and data detector.” [Online]. Available: http://exeinfo.atwebpages.com/. [Accessed: 11-Feb-2021].Google Scholar
[87] Google Code Archive - Long-term storage for Google Code Project Hosting. [Online]. Available: https://code.google.com/archive/p/fuu/. [Accessed: 21-Feb-2021].Google Scholar
[88] Sheetrit E., Nissim N., Klimov D., and Shahar Y.. 1983. Temporal probabilistic profiles for sepsis prediction in the ICU. In Proceedings of the 25th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining - KDD’19. 2961–2969.Google Scholar
[89] Allen J. F.. 1983. Maintaining knowledge about temporal intervals. 1983.Google Scholar
[90] Song F. and Croft W. B.. 1999. A general language model for information retrieval. In Proceedings of the Eighth International Conference on Information and Knowledge Management. 316–321.Google Scholar
[91] Kullback S. and Leibler R. A.. 1951. On information and sufficiency. Ann. Math. Stat. 22, 1 (1951), 79–86.Google ScholarCross Ref
[92] Which are the Linux Executable Files, and How do We Create Them? [Online]. Available: https://www.webhostinghero.com/blog/which-are-the-linux-executable-files-and-how-do-we-create-them/. [Accessed: 11-Feb-2021].Google Scholar
[93] Kancherla Kesav, Donahue John, and Mukkamala Srinivas. 2016. Packer identification using byte plot and Markov plot. J. Comput. Virol. Hacking Tech. (2016). DOI: DOI: https://doi.org/10.1007/s11416-015-0249-8Google ScholarCross Ref
[94] Kim Yeongcheol, Paik Joon Young, Choi Seokwoo, and Cho Eun Sun. 2019. Efficient SVM based packer identification with binary diffing measures. In Proceedings - International Computer Software and Applications Conference. DOI: DOI: https://doi.org/10.1109/COMPSAC.2019.00117Google Scholar
[95] Jung Byeong Ho, Bae Seong Il, Choi Chang, and Im Eul Gyu. 2020. Packer identification method based on byte sequences. In Concurrency Computation. DOI: DOI: https://doi.org/10.1002/cpe.5082Google ScholarCross Ref
[96] Bergenholtz Erik, Casalicchio Emiliano, Ilie Dragos, and Moss Andrew. 2020. Detection of metamorphic malware packers using multilayered LSTM networks. In Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). DOI: DOI: https://doi.org/10.1007/978-3-030-61078-4_3Google Scholar
[97] Saleh Moustafa, Ratazzi E. Paul, and Xu Shouhuai. 2017. A control flow graph-based signature for packer identification. In Proceedings - IEEE Military Communications Conference MILCOM. DOI: DOI: https://doi.org/10.1109/MILCOM.2017.8170793Google Scholar
[98] Gibert Daniel, Mateu Carles, Planes Jordi, and Vicens Ramon. 2019. Using convolutional neural networks for classification of malware represented as images. J. Comput. Virol. Hacking Tech. (2019). DOI: DOI: https://doi.org/10.1007/s11416-018-0323-0Google ScholarCross Ref
[99] Biondi Fabrizio, Enescu Michael A., Given-Wilson Thomas, Legay Axel, Noureddine Lamine, and Verma Vivek. 2019. Effective, efficient, and robust packing detection and classification. Comput. Secur. (2019). DOI: DOI: https://doi.org/10.1016/j.cose.2019.05.007Google ScholarDigital Library
[100] Cheng Binlin and Li Pengwei. 2018. BareunPack: Generic unpacking on the bare-metal operating system. IEICE Trans. Inf. Syst. (2018). DOI: DOI: https://doi.org/10.1587/transinf.2017EDP7424Google ScholarCross Ref
[101] Zhang Zhigang, Chang Chaowen, Han Peisheng, and Zhang Hongtao. 2020. Packed malware variants detection using deep belief networks. MATEC Web Conf. (2020). DOI: DOI: https://doi.org/10.1051/matecconf/202030902002Google Scholar
[102] Hua Yakang, Du Yuanzheng, and He Dongzhi. 2020. Classifying packed malware represented as control flow graphs using deep graph convolutional neural network. In Proceedings - 2020 International Conference on Computer Engineering and Application ICCEA'2020. DOI: DOI: https://doi.org/10.1109/ICCEA50009.2020.00062Google Scholar
[103] Yakura Hiromu, Shinozaki Shinnosuke, Nishimura Reon, Oyama Yoshihiro, and Sakuma Jun. 2018. Malware analysis of imaged binary samples by convolutional neural network with attention mechanism. In CODASPY 2018 - Proceedings of the 8th ACM Conference on Data and Application Security and Privacy. DOI: DOI: https://doi.org/10.1145/3176258.3176335Google Scholar
[104] Vaswani Ashish, Shazeer Noam, Parmar Niki, Uszkoreit Jakob, Jones Llion, Gomez Aidan N., Kaiser Łukasz, and Polosukhin Illia. 2017. Attention is all you need. In Advances in Neural Information Processing Systems.Google Scholar
[105] Obfuscated Files or Information: Software Packing | MITRE. Retrieved February 21, 2021 from https://attack.mitre.org/techniques/T1027/002/.Google Scholar
[106] The WildList Organization International. Retrieved February 25, 2021 from http://www.wildlist.org/.Google Scholar
[107] Five ways Android malware is becoming more resilient | Broadcom. Retrieved February 21, 2021 from https://www.symantec.com/connect/blogs/five-ways-android-malware-becoming-more-resilient.Google Scholar
[108] Executable compression - Wikipedia. Retrieved February 21, 2021 from https://en.wikipedia.org/wiki/Executable_compression.Google Scholar
[109] ImpREC - aldeid. Retrieved February 25, 2021 from https://www.aldeid.com/wiki/ImpREC.Google Scholar
[110] LordPE - aldeid. Retrieved February 25, 2021 from https://www.aldeid.com/wiki/LordPE.Google Scholar
[111] Cuckoo Sandbox - Automated Malware Analysis. Retrieved February 21, 2021 from https://cuckoosandbox.org/.Google Scholar
[112] The Sandbox | Understanding CyberForensics. Retrieved February 25, 2021 from https://cwsandbox.org/.Google Scholar
[113] Automated Malware Analysis Tool | Falcon Sandbox | CrowdStrike. Retrieved February 21, 2021 from https://www.crowdstrike.com/endpoint-security-products/falcon-sandbox-malware-analysis/.Google Scholar
[114] Free Automated Malware Analysis Service - powered by Falcon Sandbox. Retrieved February 21, 2021 from https://www.hybrid-analysis.com/.Google Scholar
[115] unicorn/sample_arm.c at master · unicorn-engine/unicorn. Retrieved February 21, 2021 from https://github.com/unicorn-engine/unicorn/blob/master/samples/sample_arm.c.Google Scholar
[116] Aghakhani Hojjat, Gritti Fabio, Mecca Francesco, Lindorfer Martina, Ortolani Stefano, Balzarotti Davide, Vigna Giovanni, and Kruegel Christopher. 2020. When malware is packin’ heat; Limits of machine learning classifiers based on static analysis features. DOI: DOI: https://doi.org/10.14722/ndss.2020.24310Google Scholar
[117] Yan W., Zhang Z., and Ansari N.. 2008. Revealing packed malware. In IEEE Security & Privacy 6, 5 (2008), 65–69, DOI:Google ScholarDigital Library
[118] Lelewer Debra A. and Hirschberg Daniel S.. 1987. Data compression. ACM Comput. Surv. 19, 3 (1987), 261–296. DOI: DOI: https://doi.org/10.1145/45072.45074Google ScholarDigital Library
[119] Huffman David A.. 1952. A method for the construction of minimum-redundancy codes. Proceedings of the IRE 40, 9 (1952), 1098–1101.Google ScholarCross Ref
[120] Threat Actors Use Delphi Packer to Shield Binaries From Malware Classification. Retrieved November 11, 2021 from https://securityintelligence.com/news/threat-actors-use-delphi-packer-to-shield-binaries-from-malware-classification/.Google Scholar
[121] Nissim Nir et al. 2019. Sec-lib: Protecting scholarly digital libraries from infected papers using active machine learning framework. IEEE Access 7 (2019), 110050–110073.Google ScholarCross Ref
[122] Cohen Aviad, Nissim Nir, and Elovici Yuval. 2020. MalJPEG: Machine learning based solution for the detection of malicious JPEG images. IEEE Access 8 (2020), 19997–20011.Google ScholarCross Ref
[123] Nissim Nir et al. 2014. ALPD: Active learning framework for enhancing the detection of malicious pdf files. 2014 IEEE Joint Intelligence and Security Informatics Conference. IEEE, 2014.Google ScholarDigital Library
[124] Rudd E. M., Harang R., and Saxe J.. 2018. MEADE: Towards a malicious email attachment detection engine. 2018 IEEE Int. Symp. Technol. Homel. Secur. HST'2018. 1–7. DOI:Google ScholarCross Ref
[125] Shukla S., Kolhe G., Pd S. M., and Rafatirad S.. 2019. RNN-Based classifier to detect stealthy malware using localized features and complex symbolic sequence. Proc. - 18th IEEE Int. Conf. Mach. Learn. Appl. ICMLA'2019. 406–409. DOI:Google ScholarCross Ref
[126] Li M., Liu Y., Yu M., Li G., Wang Y., and Liu C.. 2017. FEPDF: A robust feature extractor for malicious PDF detection. 2017 IEEE Trustcom/BigDataSE/ICESS.Google ScholarCross Ref
[127] GitHub - NtQuery/Scylla: Imports Reconstructor. Retrieved March 7, 2022 from https://github.com/NtQuery/Scylla.Google Scholar
[128] Mantovani Alessandro, Aonzo Simone, Ugarte-Pedrero Xabier, Merlo Alessio, and Balzarotti Davide. Prevalence and impact of low-entropy packing schemes in the malware ecosystem. DOI: DOI: https://doi.org/10.14722/ndss.2020.24297Google Scholar

Index Terms

File Packing from the Malware Perspective: Techniques, Analysis Approaches, and Directions for Enhancements
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Malware and its mitigation

Recommendations

Malware Dynamic Analysis Evasion Techniques: A Survey

The cyber world is plagued with ever-evolving malware that readily infiltrate all defense mechanisms, operate viciously unbeknownst to the user, and surreptitiously exfiltrate sensitive data. Understanding the inner workings of such malware provides a ...
Read More
Revealing Packed Malware

In concert with the ever-growing network applications, a significant increase in the spread of malware over the Internet has been observed. In cases where malware are the zero-day threats, generating their signatures for detection via anti-virus (AV) ...
Read More
Obfuscation: The Hidden Malware

A cyberwar exists between malware writers and antimalware researchers. At this war's heart rages a weapons race that originated in the 80s with the first computer virus. Obfuscation is one of the latest strategies to camouflage the telltale signs of ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Computing Surveys Volume 55, Issue 5
May 2023
810 pages
ISSN:0360-0300
EISSN:1557-7341
DOI:10.1145/3567470
Editor:
Albert Zomaya
University of Sydney, Australia
Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 3 December 2022
- Online AM: 24 May 2022
- Accepted: 6 April 2022
- Revised: 12 March 2022
- Received: 22 March 2021
Published in csur Volume 55, Issue 5

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Packing
packer
identification
analysis
detection
malware
PE file
Qualifiers
- survey
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 4
  Total Citations
  View Citations
- 1,820
  Total Downloads
- Downloads (Last 12 months)843
- Downloads (Last 6 weeks)97
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Full Text

View this article in Full Text.

View Full Text

HTML Format

View this article in HTML Format .

View HTML Format

File Packing from the Malware Perspective: Techniques, Analysis Approaches, and Directions for Enhancements

ACM Computing Surveys

Abstract

REFERENCES

Cited By

Index Terms

Recommendations

Malware Dynamic Analysis Evasion Techniques: A Survey

Revealing Packed Malware

Obfuscation: The Hidden Malware