Automatic Static Unpacking of Malware Binaries (original) (raw)
Related papers
OmniUnpack: Fast, Generic, and Safe Unpacking of Malware
Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007), 2007
Malicious software (or malware) has become a growing threat as malware writers have learned that signaturebased detectors can be easily evaded by "packing" the malicious payload in layers of compression or encryption. State-of-the-art malware detectors have adopted both static and dynamic techinques to recover the payload of packed malware, but unfortunately such techniques are highly ineffective. In this paper we propose a new technique, called OmniUnpack, to monitor the execution of a program in real-time and to detect when the program has removed the various layers of packing. OmniUnpack aids malware detection by directly providing to the detector the unpacked malicious payload. Experimental results demonstrate the effectiveness of our approach. OmniUnpack is able to deal with both known and unknown packing algorithms and introduces a low overhead (at most 11% for packed benign programs).
PolyUnpack: Automating the Hidden-Code Extraction of Unpack-ExecutingMalware
2006
Modern malware often hide the malicious portion of their program code by making it appear as data at compiletime and transforming it back into executable code at runtime. This obfuscation technique poses obstacles to researchers who want to understand the malicious behavior of new or unknown malware and to practitioners who want to create models of detection and methods of recovery. In this paper we propose a technique for automating the process of extracting the hidden-code bodies of this class of malware. Our approach is based on the observation that sequences of packed or hidden code in a malware instance can be made self-identifying when its runtime execution is checked against its static code model. In deriving our technique, we formally define the unpack-executing behavior that such malware exhibits and devise an algorithm for identifying and extracting its hidden-code. We also provide details of the implementation and evaluation of our extraction technique; the results from our experiments on several thousand malware binaries show our approach can be used to significantly reduce the time required to analyze such malware, and to improve the performance of malware detection tools.
Design of a Retargetable Decompiler for a Static Platform-Independent Malware Analysis
… Security and Assurance, 2011
Together with the massive expansion of smartphones, tablets, and other smart devices, we can notice a growing number of malware threats targeting these platforms. Software security companies are not prepared for such diversity of target platforms and there are only few techniques for platform-independent malware analysis. This is a major security issue these days. In this paper, we propose a concept of a retargetable reverse compiler (i.e. a decompiler), which is in an early stage of development. The retargetable decompiler transforms platformspecific binary applications into a high-level language (HLL) representation, which can be further analyzed in a uniform way. This tool will help with a static platform-independent malware analysis. Our unique solution is based on an exploitation of two systems that were originally not intended for such an application-the architecture description language (ADL) ISAC for a platform description and the LLVM Compiler System as the core of the decompiler. In this study, we show that our tool can produce highly readable HLL code.
Malware Detection by Static Checking and Dynamic Analysis of Executables
International Journal of Information Security and Privacy, 2017
The advanced malware continue to be a challenge in digital world that signature-based detection techniques fail to conquer. The malware use many anti-detection techniques to mutate. Thus no virus scanner can claim complete malware detection even for known malware. Static and dynamic analysis techniques focus upon different kinds of malware such as Evasive or Metamorphic malware. This paper proposes a comprehensive approach that combines static checking and dynamic analysis for malware detection. Static analysis is used to check the specific code characteristics. Dynamic analysis is used to analyze the runtime behavior of malware. The authors propose a framework for the automated analysis of an executable's behavior using text mining. Text mining of dynamic attributes identifies the important features for classifying the executable as benign and malware. The synergistic combination proposed in this paper allows detection of not only known variants of malware but even the obfuscat...
Manual Malware Analysis Using Static Method
2014
Today malware threats represent the greatest challenge to information security. Combat between malware writer and malware researcher never end. Malware writers use a variety of avoidance techniques such as Code Obfuscation, Packing, Anti-Debugging and Anti-Virtualisation Technologies to foil researcher’s analysis. On behalf of researchers they try to find out many techniques to defend Information Technology (IT) services from access or stolen by unauthorized parties. Most of the researches perform malware analysis in Virtualisation Technology in the isolation environment because of security issues. This research focuses on analysis malware using static method in operating system environment. Thus, we focus on malware analysis that uses Anti-Virtualisation avoidance technique. Although our platform environment exposed to the threat by malware sample, we protect this environment by using Toolwiz TimeFreeze and window backup image to protect and secure our environment. This research pr...
Static Analyzer of Vicious Executables (SAVE
2004
Software security assurance and malware (trojans, worms, and viruses, etc.) detection are important topics of information security. Software obfuscation, a general technique that is useful for protecting software from reverse engineering, can also be used by hackers to circumvent the malware detection tools. Current static malware detection techniques have serious limitations, and sandbox testing also fails to provide a complete solution due to time constraints.
Static detection of malicious code in executable programs
Int. J. of Req. Eng, 2001
In this paper, we propose a new approach for the static detection of malicious code in executable programs. Our approach rests on a semantic analysis based on behaviour that even makes possible the detection of unknown malicious code. This analysis is carried out directly on binary code. Static analysis offers techniques for predicting properties of the behaviour of programs without running them. The static analysis of a given binary executable is achieved in three major steps: construction of an intermediate representation, flow-based analysis that catches securityoriented program behaviour, and static verification of critical behaviours against security policies (model checking). *
A Heuristics-based Static Analysis Approach for Detecting Packed PE Binaries
International Journal of Security and Its Applications, 2013
Malware authors evade the signature based detection by packing the original malware using custom packers. In this paper, we present a static heuristics based approach for the detection of packed executables. We present 1) the PE heuristics considered for analysis and taxonomy of heuristics; 2) a method for computing the score using power distance based on weights and risks assigned to the defined heuristics; and 3) classification of packed executable based on the threshold obtained with the training data set, and the results achieved with the test data set. The experimental results show that our approach has a high detection rate of 99.82% with a low false positive rate of 2.22%. We also bring out difficulties in detecting packed DLL, CLR and Debug mode executables via header analysis.