research-article

Packer identification based on metadata signature

Authors:

Nguyen Minh Hai,

Mizuhito Ogawa,

Quan Thanh ThoAuthors Info & Claims

SSPREW-7: Proceedings of the 7th Software Security, Protection, and Reverse Engineering / Software Security and Protection Workshop

Article No.: 5, Pages 1 - 11

https://doi.org/10.1145/3151137.3160687

Published: 05 December 2017 Publication History

Abstract

Malware applies lots of obfuscation techniques, which are often automatically generated by the use of packers. This paper presents a packer identification of packed code based on metadata signature, which is a frequency vector of occurrences of classified obfuscation techniques. First, BE-PUM (Binary Emulator for PUshdown Model generation) disassembles and generates the control flow graph of malware in an on-the-fly manner, using concolic testing. Second, obfuscation techniques in the generated control flow graph are detected based on the formal criteria of each obfuscation technique. Last, the used packer is identified with the chisquare test on the metadata signature of a packed code. The precision is evaluated with experiments on 12814 malware from VX heaven and Virusshare, in which 608 examples are detected inconsistent with commercial packer identification at PEiD, CFF Explore, and VirusTotal. We manually confirm that, except for 1 example, BE-PUM is correct. The only case that BE-PUM misunderstands is between MEW and FSG, which are quite similar packers and current BE-PUM extension does not support MEW.

References

[1]

John, F. G., Alejandro, F., Richard, L., Victor, L., Biplab, S., Sravana, K., Sristi, L., Logesh, M. and Mangalam, N. The Link between Pirated Software and Cybersecurity Breaches. Retrieved from http://news.microsoft.com/download/presskits/dcu/docs/idc_031814.pdf.

[2]

Al-Anezi, M.M.K. Generic packing detection using several complexity analysis for accurate malware detection. In International Journal Advanced Computer Science, 5(1), 2014.

[3]

Osaghae, E.O. Classifying Packed Programs as Malicious Software Detected. In International Journal of Information Technology and Electrical Engineering, Vol. 5, pp 22--25, 2016.

[4]

Santos, I., Ugarte-Pedrero, X., Sanz, B., Laorden, C. and Bringas, P.G. Collective classification for packed executable identification. In Proceedings of the 8th Annual Collaboration, Electronic Messaging, Anti-Abuse and Spam Conference, pp. 23--30, Perth, Australia, 2011.

Digital Library

[5]

McAfee The Good, the Bad, and the Unknown available online: http://www.techdata.com/mcafee/files/MCAFEE_wp_appcontrol-good-bad-unknown.pdf (accessed on 21th May 2017).

[6]

Anti-virus technology whitepaper. Technical report, BitDefender, 2007.

[7]

T. Ban, R. Isawa, S. Guo, D. Inoue, K. Nakao. Efficient malware packer identification using support vector machines with spectrum kernel. In AsiaJCIS, pp.69--76, 2013.

Digital Library

[8]

Yan, W., Zhang, Z., and Ansari, N. Revealing Packed Malware. In IEEE, Security and Privacy, Vol. 6, Issue: 5, pp. 65--69.

Digital Library

[9]

Xabier Ugarte-Pedrero, Davide Balzarotti, Igor Santos and Pablo G. Bringas SoK: Deep Packer Inspection: A Longitudinal Study of the Complexity of Run-Time Packers. In Journal of 2015 IEEE Symposium on Security and Privacy, pp. 659--673

Digital Library

[10]

T. Ban, R. Isawa, S. Guo, D. Inoue, K. Nakao. Application of string kernel based support vector machine for malware packer identification. In IJCNN, 2013

[11]

G. Bonfante, J. Fernez, J.-Y. Marion, B. Rouxel, F. Sabatier, A. Thierry. Codisasm: Medium scale concatic disassembly of self-modifying binaries with overlapping instructions. In ACM SIGSAC CCS, pp.46--53, 2015.

Digital Library

[12]

F. Guo, P. Ferrie, T. Chiueh. A Study of the Packer Problem and Its Solutions. in RAID, pp.98--115, 2008 LNCS 5230.

Digital Library

[13]

R. Isawa, M. Kamizono, D. Inoue. Generic Unpacking Method Based on Detecting Original Entry Point. In NIP, pp.593--600, 2013. LNCS 8226.

[14]

G. Jeong, E. Choo, J. Lee, M. Bat-Erdene, H. Lee. Generic Unpacking using Entropy Analysis. In Malware, pp.114--121, 2010.

[15]

K. Kancherla, J. Donahue, S. Mukkamala. Packer identification using Byte plot and Markov plot. Journal of Computer Virology and Hacking Techniques, 12(2), pp.101--111, 2016.

[16]

M. G. Kang, P. Poosankam, H. Yin. Renovo: a hidden code extractor for packed executables. In ACM WORM, pp.46--53, 2007.

Digital Library

[17]

J. Kinder D. Kravchenko. Alternating control flow reconstruction. In VMCAI, pp.267--282, 2012. LNCS 7148.

Digital Library

[18]

J. Kinder, F. Zuleger, H. Veith. An abstract interpretation-based framework for control flow reconstruction from binaries. In VMCAI, pp.214--228, 2009. LNCS 5403.

Digital Library

[19]

J. Kinder. Static Analysis of x86 Executables. PhD thesis, Technische Universitat Darmstadt, 2010.

[20]

L. Martignoni, M. Christodorescu, S. Jha. OmniUnpack: Fast, Generic, Safe Unpacking of Malware. In ACSAC, pp.431--441, 2007.

[21]

M. Morgenstern, A. Marx. Runtime packer testing experiences. In CARO, pp.288--305, 2008. LNCS 6174.

[22]

M. H. Nguyen, T. B. Nguyen, T. T. Quan, M. Ogawa. A hybrid approach for control flow graph construction from binary code. In IEEE APSEC, pp.159--164, 2013.

[23]

M. H. Nguyen, M. Ogawa, T. T. Quan. Obfuscation code localization based on CFG generation of malware. In FPS, pp.229--247, 2015. LNCS 9482.

[24]

M. H. Nguyen, T. T. Quan, D. A. Le. Multi-threaded On-the-Fly Model Generation of Malware with Hash Compaction. In ICFEM, pp.159--174, 2016.

[25]

K.A. Roundy, B.P. Miller. Binary-code obfuscations in prevalent packer tools. In ACM Comput. Surv, 46, pp.4:1--4:32, 2013.

Digital Library

[26]

P. Royal, M. Halpin, D. Dagon, R. Edmonds, W. Lee. PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware. In ACSAC, pp.289--300, 2006.

Digital Library

[27]

V. S. Sathyanarayan, P. Kohli, B. Bruhadadeshwar. Signature Generation Detection of Malware Families. In ACISP, pp.336--349, 2008. LNCS 5107.

Digital Library

[28]

Mutz, Darren and Valeur, Fredrik and Vigna, Giovanni and Kruegel, Christopher Anomalous System Call Detection. In ACM Trans. Inf. Syst. Secur., Vol. 9, no. 1, pp. 61--93, February. 2006.

Digital Library

[29]

F. Maggi, M. Matteucci and S. Zaneroin. Detecting Intrusions through System Call Sequence and Argument Analysis. In IEEE Transactions on Dependable and Secure Computing, Vol. 7, no. 4, pp. 381--395, Dec. 2010.

Digital Library

[30]

M. Shafiq, S. Tabish, M. Farooq. PE-Probe: leveraging packer detection and structural information to detect malicious portable executables. In VB, pp.29--33, 2009.

[31]

D. Song, et al. Bitblaze: A new approach to computer security via binary analysis. In ICISS, pp.1--25, 2008. LNCS 5352.

Digital Library

[32]

F. Song, T. Touili. Pushdown model checking for malware detection. In TACAS, pp.110--125, 2012. LNCS 7214.

Digital Library

[33]

F. Song, T. Touili. LTL model-checking for malware detection. In TACAS, pp.416--431, 2013. LNCS 7795.

Digital Library

[34]

L. Sun, S. Versteeg, S. Boztas, T. Yann. Pattern recognition techniques for the classification of malware packers. In ACISP, Berlin, pp.370--390, 2010. LNCS 6168.

Digital Library

[35]

A. V. Thakur, J. Lim, A. Lal, A. Burton, E. Driscoll, M. Elder, T. Andersen, T. W. Reps. Directed proof generation for machine code. In CAV, pp.288--305, 2010. LNCS 6174.

Digital Library

[36]

R. David, S. Bardin,T.D. Ta, J. Feist, L. Mounier, M.-L. Potet, J.-Y. Marion. BINSEC/SE: A Dynamic Symbolic Execution Toolkit for Binary-level Analysis. In SANER, pp.653--656, 2016.

[37]

M. Morgenstern and H. Pilz Useful and useless statistics about viruses and anti-virus programs. In Proceedings of the CARO Workshop 2010, pp.653--656, 2010.

[38]

X. Ugarte-Pedrero, D. Balzarotti, I. Santos, and P. G. Bringas. SoK: Deep packer inspection: A longitudinal study of the complexity of run-time packers. In Proc. IEEE Symp. Security and Privacy (S&P), 2015.

Digital Library

[39]

Deep Instinct Research Team Certificate Bypass: Hiding and Executing Malware from a Digitally Signed Executable. In Proceedings of Black Hat USA 2016, August 2016.

Cited By

Alkhateeb EGhorbani AHabibi Lashkari A(2024)Identifying Malware Packers through Multilayer Feature Engineering in Static AnalysisInformation10.3390/info1502010215:2(102)Online publication date: 9-Feb-2024
https://doi.org/10.3390/info15020102
D’Hondt AVan Ouytsel CLegay A(2024)Experimental Toolkit for Manipulating Executable PackingRisks and Security of Internet and Systems10.1007/978-3-031-61231-2_17(263-279)Online publication date: 16-Jun-2024
https://doi.org/10.1007/978-3-031-61231-2_17
Alkhateeb EGhorbani AHabibi Lashkari A(2023)A survey on run-time packers and mitigation techniquesInternational Journal of Information Security10.1007/s10207-023-00759-y23:2(887-913)Online publication date: 1-Nov-2023
https://doi.org/10.1007/s10207-023-00759-y
Show More Cited By

Packer identification based on metadata signature
1. Security and privacy
  1. Systems security

Recommendations

File Packing from the Malware Perspective: Techniques, Analysis Approaches, and Directions for Enhancements
With the growing sophistication of malware, the need to devise improved malware detection schemes is crucial. The packing of executable files, which is one of the most common techniques for code protection, has been repurposed for code obfuscation by ...
Binary-code obfuscations in prevalent packer tools

The first steps in analyzing defensive malware are understanding what obfuscations are present in real-world malware binaries, how these obfuscations hinder analysis, and how they can be overcome. While some obfuscations have been reported independently,...
Obfuscation: The Hidden Malware

A cyberwar exists between malware writers and antimalware researchers. At this war's heart rages a weapons race that originated in the 80s with the first computer virus. Obfuscation is one of the latest strategies to camouflage the telltale signs of ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

SSPREW-7: Proceedings of the 7th Software Security, Protection, and Reverse Engineering / Software Security and Protection Workshop

December 2017

68 pages

ISBN:9781450353878

DOI:10.1145/3151137

General Chair:
J. Todd McDonald
University of South Alabama, USA
,
Program Chairs:
Mila Dalla Preda
University of Verona, Italy
,
Natalia Stakhanova
University of New Brunswick, Canada

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 December 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

SSPREW-7

SSPREW-7: 7th Software Security, Protection, and Reverse Engineering / Software Security and Protection Workshop

December 5 - 6, 2017

FL, Orlando, USA

Acceptance Rates

SSPREW-7 Paper Acceptance Rate 6 of 13 submissions, 46%;

Overall Acceptance Rate 6 of 13 submissions, 46%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
230
Total Downloads

Downloads (Last 12 months)33
Downloads (Last 6 weeks)2

Reflects downloads up to 23 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Alkhateeb EGhorbani AHabibi Lashkari A(2024)Identifying Malware Packers through Multilayer Feature Engineering in Static AnalysisInformation10.3390/info1502010215:2(102)Online publication date: 9-Feb-2024
https://doi.org/10.3390/info15020102
D’Hondt AVan Ouytsel CLegay A(2024)Experimental Toolkit for Manipulating Executable PackingRisks and Security of Internet and Systems10.1007/978-3-031-61231-2_17(263-279)Online publication date: 16-Jun-2024
https://doi.org/10.1007/978-3-031-61231-2_17
Alkhateeb EGhorbani AHabibi Lashkari A(2023)A survey on run-time packers and mitigation techniquesInternational Journal of Information Security10.1007/s10207-023-00759-y23:2(887-913)Online publication date: 1-Nov-2023
https://doi.org/10.1007/s10207-023-00759-y
El Aassal AStephen Huang S(2023)Learning Discriminative Representations for Malware Family ClassificationHybrid Intelligent Systems10.1007/978-3-031-27409-1_121(1327-1336)Online publication date: 25-May-2023
https://doi.org/10.1007/978-3-031-27409-1_121
Noureddine LHeuser APuodzius CZendra OJoshi ACarminati BVerma R(2021)SE-PACProceedings of the Eleventh ACM Conference on Data and Application Security and Privacy10.1145/3422337.3447848(281-292)Online publication date: 26-Apr-2021
https://dl.acm.org/doi/10.1145/3422337.3447848
Liu HGuo CCui YShen GPing Y(2021)2-SPIFF: a 2-stage packer identification method based on function call graph and file attributesApplied Intelligence10.1007/s10489-021-02347-wOnline publication date: 21-Apr-2021
https://doi.org/10.1007/s10489-021-02347-w
Li XShan ZLiu FChen YHou Y(2019)A Consistently-Executing Graph-Based Approach for Malware Packer IdentificationIEEE Access10.1109/ACCESS.2019.29102687(51620-51629)Online publication date: 2019
https://doi.org/10.1109/ACCESS.2019.2910268
Jung BBae SChoi CIm E(2018)Packer identification method based on byte sequencesConcurrency and Computation: Practice and Experience10.1002/cpe.508232:8Online publication date: 18-Nov-2018
https://doi.org/10.1002/cpe.5082

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents