Automatic Static Unpacking of Malware Binaries

Coogan, Kevin; Debray, Saumya; Kaochar, Tasneem; Townsend, Gregg M.

doi:10.1109/wcre.2009.24

Cited by 54 publications

(29 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Coogan et al [3] proposed an automatic static unpacking mechanism. It uses static analysis techniques to identify the unpacking code that comes with a given malware binary, then uses this code to construct a customized unpacker for that binary.…”

Section: Related Workmentioning

confidence: 99%

Generic Packing Detection Using Several Complexity Analysis for Accurate Malware Detection

Alanezi¹

2014

IJACSA

View full text Add to dashboard Cite

Abstract-The attackers do not want their Malicious software (or malwares) to be reviled by anti-virus analyzer. In order to conceal their malware, malware programmers are getting utilize the anti reverse engineering techniques and code changing techniques such as the packing, encoding and encryption techniques. Malware writers have learned that signature based detectors can be easily evaded by "packing" the malicious payload in layers of compression or encryption. State-of-the-art malware detectors have adopted both static and dynamic techniques to recover the payload of packed malware, but unfortunately such techniques are highly ineffective. If the malware is packed or encrypted, then it is very difficult to analyze. Therefore, to prevent the harmful effects of malware and to generate signatures for malware detection, the packed and encrypted executable codes must initially be unpacked. The first step of unpacking is to detect the packed executable files.The objective is to efficiently and accurately distinguish between packed and non-packed executables, so that only executables detected as packed will be sent to an general unpacker, thus saving a significant amount of processing time. The generic method of this paper show that it achieves very high detection accuracy of packed executables with a low average processing time.In this paper, a packed file detection technique based on complexity measured by several algorithms, and it has tested using a packed and unpacked dataset of file type .exe. The preliminary results are very promising where achieved high accuracy with enough performance. Where it achieved about 96% detection rate on packed files and 93% detection rate on unpacked files. The experiments also demonstrate that this generic technique can effectively prepared to detect unknown, obfuscated malware and cannot be evaded by known evade techniques.

show abstract

Section: Related Workmentioning

confidence: 99%

Generic Packing Detection Using Several Complexity Analysis for Accurate Malware Detection

Alanezi¹

2014

IJACSA

View full text Add to dashboard Cite

show abstract

“…There is a rich body of literature dealing with dynamically generated ("unpacked") code in the context of conventional native-code malware executables [14,19,4,10]. Much of this work focuses on detecting the fact of unpacking and identifying the unpacked code; because of the nature of the code involved, the techniques used are necessarily low-level, typically relying on detecting the execution of a previously-modified memory locations (or pages).…”

Section: Related Workmentioning

confidence: 99%

Automatic Simplification of Obfuscated JavaScript Code: A Semantics-Based Approach

Debray

2012

2012 IEEE Sixth International Conference on Software Security and Reliability

Self Cite

View full text Add to dashboard Cite

Abstract. Javascript is a scripting language that is commonly used to create sophisticated interactive client-side web applications. It can also be used to carry out browser-based attacks on users. Malicious JavaScript code is usually highly obfuscated, making detection a challenge. This paper describes a simple approach to deobfuscation of JavaScript code based on dynamic analysis and slicing. Experiments using a prototype implementation indicate that our approach is able to penetrate multiple layers of complex obfuscations and extract the core logic of the computation.

show abstract

“…Therefore, the first step of the reverse translation is a code unpacking phase. As this topic is well documented in the literature (see [38,39]), we will not deal with it in our paper. After that, it is necessary to convert the platform-specific file format into a unified form of representation.…”

Section: Front-endmentioning

confidence: 99%

Design of a Retargetable Decompiler for a Static Platform-Independent Malware Analysis

Ďurfina

Křoustek

Zemek

et al. 2011

Communications in Computer and Information Science

View full text Add to dashboard Cite

Abstract. Together with the massive expansion of smartphones, tablets, and other smart devices, we can notice a growing number of malware threats targeting these platforms. Software security companies are not prepared for such diversity of target platforms and there are only few techniques for platform-independent malware analysis. This is a major security issue these days. In this paper, we propose a concept of a retargetable reverse compiler (i.e. a decompiler), which is in an early stage of development. The retargetable decompiler transforms platformspecific binary applications into a high-level language (HLL) representation, which can be further analyzed in a uniform way. This tool will help with a static platform-independent malware analysis. Our unique solution is based on an exploitation of two systems that were originally not intended for such an application-the architecture description language (ADL) ISAC for a platform description and the LLVM Compiler System as the core of the decompiler. In this study, we show that our tool can produce highly readable HLL code.

show abstract

Automatic Static Unpacking of Malware Binaries

Cited by 54 publications

References 10 publications

Generic Packing Detection Using Several Complexity Analysis for Accurate Malware Detection

Generic Packing Detection Using Several Complexity Analysis for Accurate Malware Detection

Automatic Simplification of Obfuscated JavaScript Code: A Semantics-Based Approach

Design of a Retargetable Decompiler for a Static Platform-Independent Malware Analysis

Contact Info

Product

Resources

About