ABSTRACT
Malware is a powerful weapon to hamper various confidential and secure data of a personal computer. Code packing helps the malware authors to create new variants of existing malwares and thus signature based malware detection is defeated. Packing tools hinder the reverse engineering process and hence it is difficult for security researchers to perform analysis of new or unknown malware. Dynamic unpacker requires dedicated hardware and software for analyzing samples and it is computationally expensive. Hence a fast method is required for analysing packers used to create packed executable. Every packer uses its own unpacking algorithm to unpack the payload in memory, so if apriori information on packer used is available, the unpacking becomes easy. In this paper, we have proposed a novel technique for generating the signature of packed malware to identify the packer used for obfuscating the binary.
- ASPack. http://www.aspack.com/, Last Accessed October 2011.Google Scholar
- Exe32pack. http://www.softpedia.com/get/System/File-Management/exe32pack.shtml, Last Accessed October 2011.Google Scholar
- Faster Universal Unpacker. http://fuuproject.wordpress.com/tag/faster-universal-unpacker/, Last Accessed November 2011.Google Scholar
- GUnPacker. http://leechermods.com, Last Accessed November 2011.Google Scholar
- NsPack. http://www.brothersoft.com/nspack-199395.html, Last Accessed October 2011.Google Scholar
- OllyDbg. http://www.ollydbg.de/, Last Accessed November 2011.Google Scholar
- PECompact. http://www.bitsum.com/pecompact.php, Last Accessed October 2011.Google Scholar
- PEtite. http://www.softpedia.com/get/Programming/Other-Programming-Files/Petite.shtml, Last Accessed October 2011.Google Scholar
- UPX. http://upx.sourceforge.net/, Last Accessed October 2011.Google Scholar
- VMUnpacker. http://www.woodman.co, Last Accessed November 2011.Google Scholar
- Detect it Easy. http://reversingtools.blogspot.in/2009/11/detect-it-easy-die-v064.html, Last Accessed January 2012.Google Scholar
- Malware. http://www.mashable.com/follow/topics/malware/, Last Accessed May 2012.Google Scholar
- Phylogenetics. http://www.cs.princeton.edu/~mona/Lecture/msa1.pdf, Last Accessed March 2012.Google Scholar
- ProtectioniD. http://protectionid.owns.it/, Last Accessed January 2012.Google Scholar
- D. Balzarotti, M. Cova, C. Karlberger, C. Kruegel, E. Kirda, and G. Vigna. Efficient Detection of Split Personalities in Malware.Google Scholar
- A. Dinaburg, P. Royal, M. Sharif, and W. Lee. Ether:Malware Analysis via Hardware Virtualization Extensions. In Proceedings of the 15th ACM conference on Computer and communications security, CCS '08, pages 51--62. ACM, 2008. Google ScholarDigital Library
- exeInfo. http://www.exeinfo.xwp.pl/., Last Accessed January 2012.Google Scholar
- M. G. Kang, P. Poosankam, and H. Yin. Renovo: A Hidden Code Extractor for Packed Executables. In Proceedings of the 2007 ACM workshop on Recurring malcode, WORM '07, pages 46--53, New York, NY, USA, 2007. ACM. Google ScholarDigital Library
- L. Martignoni, M. Christodorescu, and S. Jha. Omniunpack: Fast, generic, and safe unpacking of malware. In In Proceedings of the Annual Computer Security Applications Conference (ACSAC), 2007.Google ScholarCross Ref
- McAfee. The Good, the Bad, the Unknown.Google Scholar
- PEiD. Packed Executable IDentification. http://www.peid.info/., Last Accessed January 2012.Google Scholar
- RDGMax. RDG Packer Detector. http://rdgsoft.8k.com/, Last Accessed January 2012.Google Scholar
- P. Royal, M. Halpin, D. Dagon, R. Edmonds, and W. Lee. PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware. In Proceedings of the 22nd Annual Computer Security Applications Conference, ACSAC '06, pages 289--300, Washington, DC, USA, 2006. IEEE Computer Society. Google ScholarDigital Library
- I. Santos, X. Ugarte-Pedrero, B. Sanz, C. Laorden, and P. G. Bringas. Collective classification for packed executable identification. In Proceedings of the 8th Annual Collaboration, Electronic messaging, Anti-Abuse and Spam Conference, CEAS '11, pages 23--30, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
- M. Z. Shafiq, S. M. Tabish, F. Mirza, and M. Farooq. PE-Miner: Mining Structural Information to Detect Malicious Executables in Realtime. In Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection, RAID '09, pages 121--141, Berlin, Heidelberg, 2009. Springer-Verlag. Google ScholarDigital Library
- D. Shin, C. Im, H. Jeong, S. Kim, and D. Won. The new signature generation method based on an unpacking algorithm and procedure for a packer detection. In International Journal of Advanced Science and Technology, volume 27, pages 59--78, 2011.Google Scholar
- T. F. Smith and M. S. Waterman. Identification of common molecular subsequences. Journal of Molecular Biology, 147(1):195--197, 1981.Google ScholarCross Ref
- J. Stewart. OllyBonE v0.1, Break-On-Execute for OllyDbg. http://www.joestewart.org/, Last Accessed November 2011.Google Scholar
- X. Ugarte-Pedrero, I. Santos, and P. G. Bringas. Structural feature based anomaly detection for packed executable identification. In Proceedings of the 4th international conference on Computational intelligence in security for information systems, CISIS'11, pages 230--237, Berlin, Heidelberg, 2011. Springer-Verlag. Google ScholarDigital Library
- P. Vinod, V. Laxmi, M. S. Gaur, and G. Chauhan. MOMENTUM: MetamOrphic Malware Exploration Techniques Using MSA signatures. In Proceedings of the Eight International Conference on Innovations in Information Technology, AL AIN, Abu Dhabi, UAE, April 2012.Google ScholarCross Ref
- VirusTotal. Free Software Downloads and Software Reviews. https://www.virustotal.com/, Last Accessed November 2011.Google Scholar
- VXHeavens. Virus Collections (VXheavens). http://vl.netlux.org/vl.php/, Last Accessed August 2011.Google Scholar
Index Terms
- SPADE: Signature based PAcker DEtection
Recommendations
File Packing from the Malware Perspective: Techniques, Analysis Approaches, and Directions for Enhancements
With the growing sophistication of malware, the need to devise improved malware detection schemes is crucial. The packing of executable files, which is one of the most common techniques for code protection, has been repurposed for code obfuscation by ...
ESCAPE: entropy score analysis of packed executable
SIN '12: Proceedings of the Fifth International Conference on Security of Information and NetworksMalware developers hide the malicious payload of malware binary by employing various obfuscation techniques. One such technique commonly applied is packing. Packer transforms the original bytes so it is difficult to recognize the behaviour of any ...
Malwise—An Effective and Efficient Classification System for Packed and Polymorphic Malware
Signature-based malware detection systems have been a much used response to the pervasive problem of malware. Identification of malware variants is essential to a detection system and is made possible by identifying invariant characteristics in related ...
Comments