poster

Packer classifier based on PE header information

Authors:

Qiao Jin,

Jiayi Duan,

Shobha Vasudevan,

Michael BaileyAuthors Info & Claims

HotSoS '15: Proceedings of the 2015 Symposium and Bootcamp on the Science of Security

Article No.: 19, Pages 1 - 2

https://doi.org/10.1145/2746194.2746213

Published: 21 April 2015 Publication History

Get Access

Abstract

Run-time binary packers are used in malware manufacturing to obfuscate the contents of the executable files. Such packing has proved an obstacle for antivirus software that relies on signatures, as the binary contents of packed malware often bears no resemblance to the original code on which the signature was generated. A naive approach, then, is to first attempt to unpack the malware before applying a signature. Unfortunately, malware authors make use of automated tools that drastically reduce the cost of constructing new packers, and as a result, attackers routinely use previously unseen packer when releasing new malware.

As a first step towards addressing this problem, we seek to build a binary program classifier that can differentiate packers and identify new packers as they emerge. We hypothesize that programs generated from the same packer share many common attributes (e.g., PE header fields) and that these may be used for packer identification. Preliminary work shows that for some packers, we may be able to build effective classifiers. This is only the first step in a line of research that seeks to identify new packers, automate their unpacking, and ultimately track new versions of malware as they emerge.

References

[1]

Peid. http://www.peid.info.

Google Scholar

[2]

Vmprotect. http://vmpsoft.com.

Google Scholar

[3]

T. Koivunen. Sigbuster. http://www.teamfurry.com.

Google Scholar

[4]

L. Martignoni, M. Christodorescu, and S. Jha. Omniunpack: Fast, generic, and safe unpacking of malware. In Computer Security Applications Conference, 2007.

Crossref

Google Scholar

[5]

J. Oberheide, M. Bailey, and F. Jahanian. Polypack: An automated online packing service for optimal antivirus evasion. In Proceedings of the 3rd USENIX conference on Offensive technologies, 2009.

Digital Library

Google Scholar

Cited By

View all

Alkhateeb EGhorbani AHabibi Lashkari A(2024)Identifying Malware Packers through Multilayer Feature Engineering in Static AnalysisInformation10.3390/info1502010215:2(102)Online publication date: 9-Feb-2024
https://doi.org/10.3390/info15020102
Alkhateeb EGhorbani AHabibi Lashkari A(2023)A survey on run-time packers and mitigation techniquesInternational Journal of Information Security10.1007/s10207-023-00759-y23:2(887-913)Online publication date: 1-Nov-2023
https://doi.org/10.1007/s10207-023-00759-y
Liu HGuo CCui YShen GPing Y(2021)2-SPIFF: a 2-stage packer identification method based on function call graph and file attributesApplied Intelligence10.1007/s10489-021-02347-wOnline publication date: 21-Apr-2021
https://doi.org/10.1007/s10489-021-02347-w
Show More Cited By

Index Terms

Packer classifier based on PE header information
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security

Recommendations

Packer identification based on metadata signature
SSPREW-7: Proceedings of the 7th Software Security, Protection, and Reverse Engineering / Software Security and Protection Workshop

Malware applies lots of obfuscation techniques, which are often automatically generated by the use of packers. This paper presents a packer identification of packed code based on metadata signature, which is a frequency vector of occurrences of ...
Binary-code obfuscations in prevalent packer tools

The first steps in analyzing defensive malware are understanding what obfuscations are present in real-world malware binaries, how these obfuscations hinder analysis, and how they can be overcome. While some obfuscations have been reported independently,...
Detecting PE infection-based malware

Organisations have employed multiple layers of defence mechanisms, while numerous attacks still take place every day. Malware is a major vehicle to perform attacks such as stealing confidential information, disrupting services, or sabotaging industrial ...

Comments

Information & Contributors

Information

Published In

HotSoS '15: Proceedings of the 2015 Symposium and Bootcamp on the Science of Security

April 2015

170 pages

ISBN:9781450333764

DOI:10.1145/2746194

General Chair:
David Nicol
University of Illinois at Urbana-Champaign

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 April 2015

Check for updates

Qualifiers

Poster

Funding Sources

National Science Foundation

Conference

HotSoS '15

Sponsor:

US Army Research Office
NSF
National Security Agency

HotSoS '15: Symposium and Bootcamp on the Science of Security

April 21 - 22, 2015

Illinois, Urbana

Acceptance Rates

HotSoS '15 Paper Acceptance Rate 13 of 22 submissions, 59%;

Overall Acceptance Rate 34 of 60 submissions, 57%

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
142
Total Downloads

Downloads (Last 12 months)4
Downloads (Last 6 weeks)0

Reflects downloads up to 23 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Alkhateeb EGhorbani AHabibi Lashkari A(2024)Identifying Malware Packers through Multilayer Feature Engineering in Static AnalysisInformation10.3390/info1502010215:2(102)Online publication date: 9-Feb-2024
https://doi.org/10.3390/info15020102
Alkhateeb EGhorbani AHabibi Lashkari A(2023)A survey on run-time packers and mitigation techniquesInternational Journal of Information Security10.1007/s10207-023-00759-y23:2(887-913)Online publication date: 1-Nov-2023
https://doi.org/10.1007/s10207-023-00759-y
Liu HGuo CCui YShen GPing Y(2021)2-SPIFF: a 2-stage packer identification method based on function call graph and file attributesApplied Intelligence10.1007/s10489-021-02347-wOnline publication date: 21-Apr-2021
https://doi.org/10.1007/s10489-021-02347-w
Jung BBae SChoi CIm E(2018)Packer identification method based on byte sequencesConcurrency and Computation: Practice and Experience10.1002/cpe.508232:8Online publication date: 18-Nov-2018
https://doi.org/10.1002/cpe.5082

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Packer identification based on metadata signature

Binary-code obfuscations in prevalent packer tools

Detecting PE infection-based malware

Comments

Published In

Sponsors

Publisher

Publication History

Check for updates

Qualifiers

Funding Sources

Conference

Acceptance Rates

Other Metrics

Article Metrics

Other Metrics

Cited By

Login options

Full Access

PDF

eReader

Abstract

References

Cited By

Index Terms

Recommendations

Packer identification based on metadata signature

Binary-code obfuscations in prevalent packer tools

Detecting PE infection-based malware

Comments

Information

Published In

Sponsors

Publisher

Publication History

Check for updates

Qualifiers

Funding Sources

Conference

Acceptance Rates

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Get Access

Login options

Full Access

View options

PDF

eReader

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations