Obfuscation procedure based in dead code insertion into crypter

Barría, Cristian Ignacio Vidal; Cordero, David; Cubillos, Claudio; Osses, Robinson

doi:10.1109/icccc.2016.7496733

Cited by 12 publications

(9 citation statements)

References 3 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Packer classification has been also performed recently, but most of the classification or identification methods use signature‐based features, such as header information or decompression/decryption code. However, signature‐based approaches can be easily avoided by attackers through code relocation and other methods …”

Section: Related Workmentioning

confidence: 99%

“…However, signature-based approaches can be easily avoided by attackers through code relocation and other methods. 9,10,30,31 To overcome those limitations, our proposed method uses features extracted only from an encrypted section. A packing algorithm is usually based on the Lempel-Ziv (LZ) and Lempel-Ziv-Markov chain algorithm (LZMA) compression algorithms; hence, we surveyed about the mechanisms of compression algorithms and the characteristics of the outputs of those algorithms.…”

mentioning

confidence: 99%

See 1 more Smart Citation

Packer identification method based on byte sequences

Jung

Bae

Choi

et al. 2018

Concurrency and Computation

View full text Add to dashboard Cite

Summary With the growing number of malware, malware analysis technologies need to be advanced continuously. Malware authors use various packing techniques to hide their code from malware detection tools and techniques. The packing techniques are generally used to compress and encrypt executable code in executable files, and the unpacking code is usually embedded in the executable files. Therefore, packed executable files can be executed by itself, and the information associated with packing can be used to analyze and detect malware. Since different packing tools will generate different packed executable files, packing tools can be identified by analyzing packed executable files, and packer identification can reduce malware‐analyzing overheads, and the executable files can even be unpacked. However, most previous studies focused on packing detection using signatures of unpacking code, and these approaches can be avoided by placing unpacking code in other locations or by distributing unpacking code in multiple locations. In this paper, we propose a new packer identification method by analyzing only code sections to extract features of malware generated by different packing tools. Experimental results show that our approach can identify different packing tools with the accuracy of 91.6% on average. Considering packer identification is the harder problem than packing detection, we argue that our approach can contribute to reducing overheads of malware analysis.

show abstract

Section: Related Workmentioning

confidence: 99%

mentioning

confidence: 99%

Packer identification method based on byte sequences

Jung

Bae

Choi

et al. 2018

Concurrency and Computation

View full text Add to dashboard Cite

show abstract

“…If the 1 Mb output file is used, it is possible to create copies every 1000 bytes (offset with 0.1 percent of the total file size), and the proper analysis is made, considering only the portion of 1000 bytes that is undetected. Copies are then created every 100 bytes over it, and this procedure is repeated until reaching the portion of 1 byte [5], considering that the ranges are not necessarily consecutive. Thus, hardware use increases, and the number of created files decreases, so the antivirus testing time also decreases.…”

Section: Current Malware Updating Processmentioning

confidence: 99%

Obfuscation-based Malware Update: A comparison of Manual and Automated Methods

Barría

Cordero

Cubillos

et al. 2017

INT J COMPUT COMMUN

Self Cite

View full text Add to dashboard Cite

This research presents a proposal of malware classification and its update based on capacity and obfuscation. This article is an extension of [4]a, and describes the procedure for malware updating, that is, to take obsolete malware that is already detectable by antiviruses, update it through obfuscation techniques and thus making it undetectable again. As the updating of malware is generally performed manually, an automatic solution is presented together with a comparison from the standpoint of cost and processing time. The automated method proved to be more reliable, fast and less intensive in the use of resources, specially in terms of antivirus analysis and malware functionality checking times.

show abstract

“…The process of taking a program whose signature is already recognized by anti-malware systems as a threat, and transforming it in such a way that is no longer detected, without losing functionality, is described by Barría et al as an iterative process of malware "update" [19]. This process involves a procedure cycle, where malware is encrypted thanks to a Crypter, to then be analyzed by one or more anti-malware systems.…”

Section: Current Malware Update Processmentioning

confidence: 99%

Optimation through Automation of Malware Update Process, Capable of Evading Anti-Malware Systems

Carabantes¹,

Huidobro²,

Vidal³

2016

RCS

View full text Add to dashboard Cite

Implementation and maintenance of malware protection measures imply high resources usage. Such is the case of Information Security Management Systems (ISMS), whose suggested structure is described by ISO Standard 27.001:2013. In this standard, work with malware is contemplated for penetration testing (pentesting) purposes, allowing to evaluate the response of computer systems against this kind of events. The present document approaches one of the existing malware usage methods for this purpose: encrypted malware obfuscation, through dead code insertion. This method is evaluated in terms of monetary cost and required time, through simulation, to later evaluate those metrics against an automated model, tested through a prototype software. The optimization of this process through the proposed automation, yielded a significant reduction of the monetary cost and time needed.

show abstract

Obfuscation procedure based in dead code insertion into crypter

Cited by 12 publications

References 3 publications

Packer identification method based on byte sequences

Packer identification method based on byte sequences

Obfuscation-based Malware Update: A comparison of Manual and Automated Methods

Optimation through Automation of Malware Update Process, Capable of Evading Anti-Malware Systems

Contact Info

Product

Resources

About