research-article

SPADE: Signature based PAcker DEtection

Authors:

P. VinodAuthors Info & Claims

SecurIT '12: Proceedings of the First International Conference on Security of Internet of Things

Pages 96 - 101

https://doi.org/10.1145/2490428.2490442

Published: 17 August 2012 Publication History

Abstract

Malware is a powerful weapon to hamper various confidential and secure data of a personal computer. Code packing helps the malware authors to create new variants of existing malwares and thus signature based malware detection is defeated. Packing tools hinder the reverse engineering process and hence it is difficult for security researchers to perform analysis of new or unknown malware. Dynamic unpacker requires dedicated hardware and software for analyzing samples and it is computationally expensive. Hence a fast method is required for analysing packers used to create packed executable. Every packer uses its own unpacking algorithm to unpack the payload in memory, so if apriori information on packer used is available, the unpacking becomes easy. In this paper, we have proposed a novel technique for generating the signature of packed malware to identify the packer used for obfuscating the binary.

References

[1]

ASPack. http://www.aspack.com/, Last Accessed October 2011.

[2]

Exe32pack. http://www.softpedia.com/get/System/File-Management/exe32pack.shtml, Last Accessed October 2011.

[3]

Faster Universal Unpacker. http://fuuproject.wordpress.com/tag/faster-universal-unpacker/, Last Accessed November 2011.

[4]

GUnPacker. http://leechermods.com, Last Accessed November 2011.

[5]

NsPack. http://www.brothersoft.com/nspack-199395.html, Last Accessed October 2011.

[6]

OllyDbg. http://www.ollydbg.de/, Last Accessed November 2011.

[7]

PECompact. http://www.bitsum.com/pecompact.php, Last Accessed October 2011.

[8]

PEtite. http://www.softpedia.com/get/Programming/Other-Programming-Files/Petite.shtml, Last Accessed October 2011.

[9]

UPX. http://upx.sourceforge.net/, Last Accessed October 2011.

[10]

VMUnpacker. http://www.woodman.co, Last Accessed November 2011.

[11]

Detect it Easy. http://reversingtools.blogspot.in/2009/11/detect-it-easy-die-v064.html, Last Accessed January 2012.

[12]

Malware. http://www.mashable.com/follow/topics/malware/, Last Accessed May 2012.

[13]

Phylogenetics. http://www.cs.princeton.edu/~mona/Lecture/msa1.pdf, Last Accessed March 2012.

[14]

ProtectioniD. http://protectionid.owns.it/, Last Accessed January 2012.

[15]

D. Balzarotti, M. Cova, C. Karlberger, C. Kruegel, E. Kirda, and G. Vigna. Efficient Detection of Split Personalities in Malware.

[16]

A. Dinaburg, P. Royal, M. Sharif, and W. Lee. Ether:Malware Analysis via Hardware Virtualization Extensions. In Proceedings of the 15th ACM conference on Computer and communications security, CCS '08, pages 51--62. ACM, 2008.

Digital Library

[17]

exeInfo. http://www.exeinfo.xwp.pl/., Last Accessed January 2012.

[18]

M. G. Kang, P. Poosankam, and H. Yin. Renovo: A Hidden Code Extractor for Packed Executables. In Proceedings of the 2007 ACM workshop on Recurring malcode, WORM '07, pages 46--53, New York, NY, USA, 2007. ACM.

Digital Library

[19]

L. Martignoni, M. Christodorescu, and S. Jha. Omniunpack: Fast, generic, and safe unpacking of malware. In In Proceedings of the Annual Computer Security Applications Conference (ACSAC), 2007.

[20]

McAfee. The Good, the Bad, the Unknown.

[21]

PEiD. Packed Executable IDentification. http://www.peid.info/., Last Accessed January 2012.

[22]

RDGMax. RDG Packer Detector. http://rdgsoft.8k.com/, Last Accessed January 2012.

[23]

P. Royal, M. Halpin, D. Dagon, R. Edmonds, and W. Lee. PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware. In Proceedings of the 22nd Annual Computer Security Applications Conference, ACSAC '06, pages 289--300, Washington, DC, USA, 2006. IEEE Computer Society.

Digital Library

[24]

I. Santos, X. Ugarte-Pedrero, B. Sanz, C. Laorden, and P. G. Bringas. Collective classification for packed executable identification. In Proceedings of the 8th Annual Collaboration, Electronic messaging, Anti-Abuse and Spam Conference, CEAS '11, pages 23--30, New York, NY, USA, 2011. ACM.

Digital Library

[25]

M. Z. Shafiq, S. M. Tabish, F. Mirza, and M. Farooq. PE-Miner: Mining Structural Information to Detect Malicious Executables in Realtime. In Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection, RAID '09, pages 121--141, Berlin, Heidelberg, 2009. Springer-Verlag.

Digital Library

[26]

D. Shin, C. Im, H. Jeong, S. Kim, and D. Won. The new signature generation method based on an unpacking algorithm and procedure for a packer detection. In International Journal of Advanced Science and Technology, volume 27, pages 59--78, 2011.

[27]

T. F. Smith and M. S. Waterman. Identification of common molecular subsequences. Journal of Molecular Biology, 147(1):195--197, 1981.

[28]

J. Stewart. OllyBonE v0.1, Break-On-Execute for OllyDbg. http://www.joestewart.org/, Last Accessed November 2011.

[29]

X. Ugarte-Pedrero, I. Santos, and P. G. Bringas. Structural feature based anomaly detection for packed executable identification. In Proceedings of the 4th international conference on Computational intelligence in security for information systems, CISIS'11, pages 230--237, Berlin, Heidelberg, 2011. Springer-Verlag.

Digital Library

[30]

P. Vinod, V. Laxmi, M. S. Gaur, and G. Chauhan. MOMENTUM: MetamOrphic Malware Exploration Techniques Using MSA signatures. In Proceedings of the Eight International Conference on Innovations in Information Technology, AL AIN, Abu Dhabi, UAE, April 2012.

[31]

VirusTotal. Free Software Downloads and Software Reviews. https://www.virustotal.com/, Last Accessed November 2011.

[32]

VXHeavens. Virus Collections (VXheavens). http://vl.netlux.org/vl.php/, Last Accessed August 2011.

Cited By

D’Hondt AVan Ouytsel CLegay A(2024)Experimental Toolkit for Manipulating Executable PackingRisks and Security of Internet and Systems10.1007/978-3-031-61231-2_17(263-279)Online publication date: 16-Jun-2024
https://doi.org/10.1007/978-3-031-61231-2_17
Alkhateeb EGhorbani AHabibi Lashkari A(2023)A survey on run-time packers and mitigation techniquesInternational Journal of Information Security10.1007/s10207-023-00759-y23:2(887-913)Online publication date: 1-Nov-2023
https://doi.org/10.1007/s10207-023-00759-y
Bergenholtz ECasalicchio EIlie DMoss A(2020)Detection of Metamorphic Malware Packers Using Multilayered LSTM NetworksInformation and Communications Security10.1007/978-3-030-61078-4_3(36-53)Online publication date: 28-Nov-2020
https://doi.org/10.1007/978-3-030-61078-4_3
Show More Cited By

Index Terms

SPADE: Signature based PAcker DEtection
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security

Recommendations

File Packing from the Malware Perspective: Techniques, Analysis Approaches, and Directions for Enhancements
With the growing sophistication of malware, the need to devise improved malware detection schemes is crucial. The packing of executable files, which is one of the most common techniques for code protection, has been repurposed for code obfuscation by ...
ESCAPE: entropy score analysis of packed executable
SIN '12: Proceedings of the Fifth International Conference on Security of Information and Networks

Malware developers hide the malicious payload of malware binary by employing various obfuscation techniques. One such technique commonly applied is packing. Packer transforms the original bytes so it is difficult to recognize the behaviour of any ...
Malwise—An Effective and Efficient Classification System for Packed and Polymorphic Malware

Signature-based malware detection systems have been a much used response to the pervasive problem of malware. Identification of malware variants is essential to a detection system and is made possible by identifying invariant characteristics in related ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SecurIT '12: Proceedings of the First International Conference on Security of Internet of Things

August 2012

266 pages

ISBN:9781450318228

DOI:10.1145/2490428

General Chairs:
R. Chandrasekhar
Govt. of India
,
Andrew Tanenbaum
Vrije University, Netherlands
,
P. Venkat Rangan
Amrita University, India

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control
TCG: Trusted Computing Group
Amrita: Amrita Vishwa Vidyapeetham
CSA: Computer Science Association

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 August 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SECURIT '12

Sponsor:

SIGSAC
TCG
Amrita
CSA

SECURIT '12: First International Conference on Security of Internet of Things

August 17 - 19, 2012

Kollam, India

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
338
Total Downloads

Downloads (Last 12 months)11
Downloads (Last 6 weeks)1

Reflects downloads up to 23 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

D’Hondt AVan Ouytsel CLegay A(2024)Experimental Toolkit for Manipulating Executable PackingRisks and Security of Internet and Systems10.1007/978-3-031-61231-2_17(263-279)Online publication date: 16-Jun-2024
https://doi.org/10.1007/978-3-031-61231-2_17
Alkhateeb EGhorbani AHabibi Lashkari A(2023)A survey on run-time packers and mitigation techniquesInternational Journal of Information Security10.1007/s10207-023-00759-y23:2(887-913)Online publication date: 1-Nov-2023
https://doi.org/10.1007/s10207-023-00759-y
Bergenholtz ECasalicchio EIlie DMoss A(2020)Detection of Metamorphic Malware Packers Using Multilayered LSTM NetworksInformation and Communications Security10.1007/978-3-030-61078-4_3(36-53)Online publication date: 28-Nov-2020
https://doi.org/10.1007/978-3-030-61078-4_3
Jung BBae SChoi CIm E(2018)Packer identification method based on byte sequencesConcurrency and Computation: Practice and Experience10.1002/cpe.508232:8Online publication date: 18-Nov-2018
https://doi.org/10.1002/cpe.5082
Gupta NNaval SLaxmi VGaur MRajarajan M(2014)P-SPADE: GPU accelerated malware packer detection2014 Twelfth Annual International Conference on Privacy, Security and Trust10.1109/PST.2014.6890947(257-263)Online publication date: Jul-2014
https://doi.org/10.1109/PST.2014.6890947
Uppal DSinha RMehra VJain V(2014)Malware detection and classification based on extraction of API sequences2014 International Conference on Advances in Computing, Communications and Informatics (ICACCI)10.1109/ICACCI.2014.6968547(2337-2342)Online publication date: Sep-2014
https://doi.org/10.1109/ICACCI.2014.6968547

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents