research-article

Detection of packed malware

Authors:

Dhruwajita Devi,

Sukumar NandiAuthors Info & Claims

SecurIT '12: Proceedings of the First International Conference on Security of Internet of Things

Pages 22 - 26

https://doi.org/10.1145/2490428.2490431

Published: 17 August 2012 Publication History

Abstract

Packing is the most popular obfuscation technique used by malware writers' community in present scenario. The traditional signature-based anti-virus software had played a major role in malware detection, until the dawn of the trend of packed malware. Hence to evade detection of the malwares, a malicious writer relies on packers' softwares; which transforms the binary appearance of the programs without affecting its execution semantics. Therefore the biggest challenge today for malware detection techniques is to figure out whether a given binary is packed or not.

In this paper, we apply pattern recognition technique for detection of packed malware binaries. The objective of our approach is to take out the best set of features from Windows Portable executable files in order to pass it to our classification model. The classification model works in two phases, in the first phase it classifies the packed and non-packed executables. Once an executable is classified as packed, the second phase of classification concludes whether it is packed benign or packed malware executable. We worked with the UPX packer for this approach and have been able to achieve more than 99.9% accuracy in the first phase of classification. We achieved more than 95% accuracy in the second phase of classification as well.

References

[1]

Roberto Perdisci, Andrea Lanzi, Wenke Lee. Classification of Packed Executables for Accurate Computer Virus Detection. Journal Pattern Recognition Letters archive Volume 29 Issue 14, October, 2008. Pages 1941--1946.

Digital Library

[2]

Fanglu Guo, Peter Ferrie, and Tzi-cker Chiueh. A Study of the Packer Problem and Its Solutions. Proceeding RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection Pages 98--115, 2008.

Digital Library

[3]

Min Gyung Kang, Pongsin Poosankam, and Heng Yin. Renovo: A Hidden Code Extractor for Packed Executables, Proceeding WORM '07 Proceedings of the 2007 ACM workshop on Recurring malcode Pages 46--53.

Digital Library

[4]

Lorenzo Martignoni, Mihai Christodorescu, Somesh Jha. OmniUnpack: Fast, Generic, and Safe Unpacking of Malware. Computer Security Applications Conference, 2007. ACSAC, 2007.

[5]

Paul Royal, Mitch Halpin, David Dagon, Robert Edmonds, Wenke Lee. PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware. Computer Security Applications Conference, 2006.

Digital Library

[6]

Li Sun, Steven Versteeg, Serdar Boztas and Trevor Yann. Pattern Recognition Techniques for the Classification of Malware Packers. R. Steinfeld and P. Hawkes (Eds.):ACISP 2010, LNCS 6168, pp. 370390, 2010.

Digital Library

[7]

V. Sai Sathyanarayan, Pankaj Kohli, and Bezawada Bruhadeshwar. Signature Generation and Detection of Malware Families. Y. Mu, W. Susilo, and J. Seberry (Eds.):ACISP 2008, LNCS 5107, pp. 336349, 2008.

Digital Library

[8]

Robert Lyd, Sparta, James, Hamrock, McDonald, Bradley. Using entropy analysis to find encrypted and packed malware. Journal IEEE Security and Privacy archive Volume 5 Issue 2, March 2007 Pages 40--45.

Digital Library

[9]

M. Morgenstern and T. Brosch. Runtime packers: The hidden problem?, Blackhat USA 2005.

[10]

M. Zubair Shaq, S. Momina Tabish, Fauzan Mirza, Muddassar Farooq. PE-Miner:Mining Structural Information to Detect Malicious Executables in Realtime. RAID 2009, LNCS 5758, pp. 121--141, 2009.

Digital Library

[11]

Craig S Wright. Packer Analysis Report - Debugging and unpacking the NsPack 3.4 and 3.7 packer. 7th DOD/NBSComputers and Security Conference, volume 6, pages 22--35, September 1987.

[12]

J. Zico Kolter, Marcus A. Maloof. Learning to Detect and Classify Malicious Executables in the Wild. In Proceedings of the Tenth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, ACM, 2004.

Digital Library

[13]

Matt Pietrek. Peering Inside the PE: A Tour of the Win32 Portable Executable File Format, Article: http://msdn.microsoft.com/en-us/library/ms809762, March 1994.

[14]

Goppit. Portable Executable File Format - A Reverse Engineer View, Code Breakers Journal - Aug 15, 2005.

[15]

Michael Howard. Revealing Packed malware. Published by the IEEE ComPuter soCiety, 1540-7993/07/$25.00 2007.

[16]

http://www.cheztabor.com/dumpbinGUI/

[17]

http://www.dependencywalker.com

[18]

Matt Pietrek. An in-depth look into the Win32 Portable Executable file format, part 2. http://msdn.microsoft.com/msdnmag/issues/02/03/PE2/.

[19]

http://www.cs.waikato.ac.nz/ml/weka/index_downloading.html

[20]

Andrew Walenstein, Daniel J. Hefner and Jeffery Wichers. Header Information in Malware Families and Impact on Automated Classifiers. 2010 5th International Conference on Malicious and Unwanted Software, 2010.

[21]

Dhruwajita Devi and Sukumar Nandi. PE File Features in Detection of Packed Executables. International Journal of Computer Theory and Engineering, Vol. 4, No. 3, June 2012.

Cited By

Liu LKuang XLiu LZhang L(2024)Defend against Adversarial Attacks in Malware Detection through Attack Space ManagementComputers & Security10.1016/j.cose.2024.103841(103841)Online publication date: Apr-2024
https://doi.org/10.1016/j.cose.2024.103841
Holm HHyllienmark E(2023)Hide My Payload: An Empirical Study of Antimalware Evasion Tools2023 IEEE International Conference on Big Data (BigData)10.1109/BigData59044.2023.10386838(2989-2998)Online publication date: 15-Dec-2023
https://doi.org/10.1109/BigData59044.2023.10386838
Owen HZarrin JPour S(2022)A Survey on Botnets, Issues, Threats, Methods, Detection and PreventionJournal of Cybersecurity and Privacy10.3390/jcp20100062:1(74-88)Online publication date: 28-Feb-2022
https://doi.org/10.3390/jcp2010006
Show More Cited By

Index Terms

Detection of packed malware

Recommendations

File Packing from the Malware Perspective: Techniques, Analysis Approaches, and Directions for Enhancements
With the growing sophistication of malware, the need to devise improved malware detection schemes is crucial. The packing of executable files, which is one of the most common techniques for code protection, has been repurposed for code obfuscation by ...
Revealing Packed Malware

In concert with the ever-growing network applications, a significant increase in the spread of malware over the Internet has been observed. In cases where malware are the zero-day threats, generating their signatures for detection via anti-virus (AV) ...
Malware Detection by Static Checking and Dynamic Analysis of Executables

The advanced malware continue to be a challenge in digital world that signature-based detection techniques fail to conquer. The malware use many anti-detection techniques to mutate. Thus no virus scanner can claim complete malware detection even for ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SecurIT '12: Proceedings of the First International Conference on Security of Internet of Things

August 2012

266 pages

ISBN:9781450318228

DOI:10.1145/2490428

General Chairs:
R. Chandrasekhar
Govt. of India
,
Andrew Tanenbaum
Vrije University, Netherlands
,
P. Venkat Rangan
Amrita University, India

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control
TCG: Trusted Computing Group
Amrita: Amrita Vishwa Vidyapeetham
CSA: Computer Science Association

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 August 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SECURIT '12

Sponsor:

SIGSAC
TCG
Amrita
CSA

SECURIT '12: First International Conference on Security of Internet of Things

August 17 - 19, 2012

Kollam, India

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
498
Total Downloads

Downloads (Last 12 months)40
Downloads (Last 6 weeks)0

Reflects downloads up to 23 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Liu LKuang XLiu LZhang L(2024)Defend against Adversarial Attacks in Malware Detection through Attack Space ManagementComputers & Security10.1016/j.cose.2024.103841(103841)Online publication date: Apr-2024
https://doi.org/10.1016/j.cose.2024.103841
Holm HHyllienmark E(2023)Hide My Payload: An Empirical Study of Antimalware Evasion Tools2023 IEEE International Conference on Big Data (BigData)10.1109/BigData59044.2023.10386838(2989-2998)Online publication date: 15-Dec-2023
https://doi.org/10.1109/BigData59044.2023.10386838
Owen HZarrin JPour S(2022)A Survey on Botnets, Issues, Threats, Methods, Detection and PreventionJournal of Cybersecurity and Privacy10.3390/jcp20100062:1(74-88)Online publication date: 28-Feb-2022
https://doi.org/10.3390/jcp2010006
Reddy VKolli NBalakrishnan N(2021)Malware detection and classification using community detection and social network analysisJournal of Computer Virology and Hacking Techniques10.1007/s11416-021-00387-xOnline publication date: 14-May-2021
https://doi.org/10.1007/s11416-021-00387-x
Mansour ZMolloy CDing S(2021)Machine Learning for Static Malware AnalysisEncyclopedia of Machine Learning and Data Science10.1007/978-1-4899-7502-7_981-1(1-4)Online publication date: 6-Oct-2021
https://doi.org/10.1007/978-1-4899-7502-7_981-1
Bat-Erdene MKim TPark HLee H(2017)Packer Detection for Multi-Layer Executables Using Entropy AnalysisEntropy10.3390/e1903012519:3(125)Online publication date: 16-Mar-2017
https://doi.org/10.3390/e19030125

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents