survey

File Packing from the Malware Perspective: Techniques, Analysis Approaches, and Directions for Enhancements

Authors:

Trivikram Muralidharan,

Nir NissimAuthors Info & Claims

ACM Computing Surveys, Volume 55, Issue 5

Article No.: 108, Pages 1 - 45

https://doi.org/10.1145/3530810

Published: 03 December 2022 Publication History

Abstract

With the growing sophistication of malware, the need to devise improved malware detection schemes is crucial. The packing of executable files, which is one of the most common techniques for code protection, has been repurposed for code obfuscation by malware authors as a means of evading malware detectors (mainly static analysis-based detectors). This paper provides statistics on the use of packers based on an extensive analysis of 24,000 PE files (both malicious and benign files) for the past 10 years, which allowed us to observe trends in packing use during that time and showed that packing is still widely used in malware. This paper then surveys 23 methods proposed in academic research for the detection and classification of packed portable executable (PE) files and highlights various trends in malware packing. The paper highlights the differences between the methods and their abilities to detect and identify various aspects of packing. A taxonomy is presented, classifying the methods as static, dynamic, and hybrid analysis-based methods. The paper also sheds light on the increasing role of machine learning methods in the development of modern packing detection methods. We analyzed and mapped the different packing methods and identified which of them can be countered by the detection methods surveyed in this paper.

References

[1]

M. Bat-Erdene, T. Kim, H. Li, and H. Lee. 2013. Dynamic classification of packing algorithms for inspecting executables using entropy analysis. Proc. 2013 8th Int. Conf. Malicious Unwanted Softw. The Am. MALWARE 2013. 19–26.

[2]

M. M. K. Al-Zanei. 2014. Generic packing detection using several complexity analysis for accurate malware detection 5, 1 (2014), 7–14.

[3]

L. Sun, S. Versteeg, S. Boztaş, and T. Yann. 2010. Pattern Recognition Techniques for the Classification of Malware Packers. Springer, Berlin, 2010, 370–390.

[4]

D.-I. M. Morgenstern and H. Pilz. Useful and useless statistics about viruses and anti-virus programs.

[5]

Peter Ferrie, Senior Anti-virus Researcher, and Microsoft Corporation. 2008. Anti-unpacker tricks. Current (2008).

[6]

M. Bat-Erdene, T. Kim, H. Park, and H. Lee. 2017. Packer detection for multi-layer executables using entropy analysis. Entropy 19, 3 (2017), 1–18.

[7]

W. Yan, Z. Zhang, and N. Ansari. 2008. Revealing packed malware. IEEE Secur. Priv. Mag. 6, 5 (2008), 65–69.

Digital Library

[8]

M.-J. Kim et al. 2010. Design and performance evaluation of binary code packing for protecting embedded software against reverse engineering. In 2010 13th IEEE International Symposium on Object/Component/Service-Oriented Real-Time Distributed Computing 2010, 80–86.

Digital Library

[9]

Y. Choi, I. Kim, J. Oh, and J. Ryou. 2008. PE file header analysis-based packed PE file detection technique (PHAD). In International Symposium on Computer Science and its Applications 2008. 28–31.

Digital Library

[10]

R. Perdisci, A. Lanzi, and W. Lee. 2008. Classification of packed executables for accurate computer virus detection. Pattern Recognit. Lett. 29, 14 (2008), 1941–1946.

Digital Library

[11]

PE Format | Microsoft Docs. [Online]. Available: https://docs.microsoft.com/en-us/windows/desktop/debug/pe-format. [Accessed: 04-Feb-2021].

[12]

D. Devi and S. Nandi. 2012. PE file features in detection of packed executables. Entropy 4, 3 (2012), 476–478.

[13]

M. Sikorski and A. Honig. 2012. Practical malware analysis: The hands-on guide to dissecting malicious software. No Starch Press.

[14]

L. Sun, S. Versteeg, S. Boztaş, and T. Yann. 2010, July. Pattern recognition techniques for the classification of malware packers. In Australasian Conference on Information Security and Privacy. Springer, Berlin, Heidelberg, 370–390.

[15]

D. M. Abhi Gupta and Akshi S. Arya. 2018. Hashing Base Ed Encryption N And Anti-Deb Bugger Suppor Rt For Packing Multiple Fi Es Into Sing E Executable (2018), 96–99.

[16]

“I Executable and Linkable Format (ELF).”

[17]

K. Muhammad and H. Zahid. 2015. ITEE Journal. ITEE J. 4, 4 (2015), 1–5.

[18]

M. Hassnain and A. Abbas. 2017. ITEE Journal. Int. J. Inf. Technol. Electr. Eng. 6, 1 (2017), 10–16.

[19]

M. Bat-Erdene, H. Park, H. Li, H. Lee, and M.-S. Choi. 2017. Entropy analysis to classify unknown packing algorithms for malware detection. Int. J. Inf. Secur. 16, 3 (2017), 227–248.

Digital Library

[20]

B. Li, Y. Zhang, J. Li, W. Yang, and D. Gu. 2018. AppSpear: Automating the hidden-code extraction and reassembling of packed Android malware. J. Syst. Softw. 140 (2018), 3–16.

[21]

R. Lyda and J. Hamrock. 2007. Using entropy analysis to find encrypted and packed malware. IEEE Secur. Priv. Mag. 5, 2 (2007), 40–45.

Digital Library

[22]

G. Jacob, P. M. Comparetti, M. Neugschwandtner, C. Kruegel, and G. Vigna. 2013. A static, packer-agnostic filter to detect similar malware samples. In Proceedings of the 9th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer-Verlag, 2013, 102–122.

[23]

J. Zhang, K. Zhang, Z. Qin, H. Yin, and Q. Wu. 2018. Sensitive system calls based packed malware variants detection using principal component initialized multilayers neural networks. 1–13.

[24]

Entropy and the distinctive signs of packed PE files. | NTinfo. [Online]. Available: http://n10info.blogspot.com/2014/06/entropy-and-distinctive-signs-of-packed.html. [Accessed: 04-Feb-2021].

[25]

I. J. Good, T. N. Gover, and G. J. Mitchell. 1970. Exact distributions for X 2 and for the likelihood-ratio statistic for the equiprobable multinomial distribution. 1970.

[26]

B. Cheng et al. 2018. Towards paving the way for large-scale windows malware analysis. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security - CCS ’18. 395–411.

[27]

X. Ugarte-Pedrero, D. Balzarotti, I. Santos, and P. G. Bringas. 2015. SoK: Deep packer inspection: A longitudinal study of the complexity of run-time packers. In 2015 IEEE Symposium on Security and Privacy. 659–673.

Digital Library

[28]

G. Bonfante et al. 2015. CoDisasm: Medium scale concatic disassembly of self-modifying binaries with overlapping instructions. 2015.

[29]

D. Bueno, K. J. Compton, K. A. Sakallah, and M. Bailey. Detecting traditional packers, decisively.

[30]

S. Cesare, Y. Xiang, and W. Zhou. 2013. Malwise—an effective and efficient classification system for packed and polymorphic malware. IEEE Trans. Comput. 62, 6 (2013), 1193–1206.

Digital Library

[31]

Ang Li, Yue Zhang, Junxing Zhang, and Gang Zhu. 2015. A token strengthened encryption packer to prevent reverse engineering PE files. In 2015 International Conference on Estimation, Detection and Information Fusion (ICEDIF'15). 307–312.

[32]

L. Bilge, A. Lanzi, and D. Balzarotti. Thwarting real-time dynamic unpacking.

[33]

J. Křoustek, P. Matula, D. Kolář, and M. Zavoral. Advanced preprocessing of binary executable files and its usage in retargetable decompilation.

[34]

L. Durfina, J. Kroustek, and P. Zemek. 2013. PsybOt malware: A step-by-step decompilation case study. In 2013 20th Working Conference on Reverse Engineering (WCRE'13). 449–456.

[35]

J. R. Levine. 2000. Linkers and Loaders. Morgan Kaufmann.

[36]

E. Cozzi, M. Graziano, Y. Fratantonio, and D. Balzarotti. 2018. Understanding Linux malware. Proc. - IEEE Symp. Secur. Priv. 2018-May, 161–175.

[37]

K. A. Roundy and B. P. Miller. 2013. Binary-code obfuscations in prevalent packer tools. ACM Comput. Surv. 46, 1 (2013), 1–32.

Digital Library

[38]

UPX: the Ultimate Packer for eXecutables - Homepage. [Online]. Available: https://upx.github.io/. [Accessed: 10-Feb-2021].

[39]

H. D. Menéndez, S. Bhattacharya, D. Clark, and E. T. Barr. 2019. The arms race: Adversarial search defeats entropy used to detect malware. Expert Syst. Appl. 118 (2019), 246–260.

Digital Library

[40]

Manual Unpacking of UPX Packed Binary File - www.SecurityXploded.com. [Online]. Available: https://securityxploded.com/unpackingupx.php. [Accessed: 10-Feb-2021].

[41]

Unpacking, Reversing, Patching. [Online]. Available: https://resources.infosecinstitute.com/unpacking-reversing-patching/#gref. [Accessed: 11-Feb-2021].

[42]

Oreans Technology: Software Security Defined. [Online]. Available: https://www.oreans.com/themida.php. [Accessed: 11-Feb-2021].

[43]

K. Coogan, S. Debray, T. Kaochar, and G. Townsend. 2009. Automatic static unpacking of malware binaries. In 2009 16th Working Conference on Reverse Engineering 2009, 167–176.

Digital Library

[44]

E. O. Osaghae. 2016. Classifying packed programs as malicious software detected 2016.

[45]

L. Bohne. 2009. Pandora's Bochs: Automatic Unpacking of Malware 121, 2009.

[46]

F. Guo, P. Ferrie, and T. Chiueh. 2008. A study of the packer problem and its solutions. In Recent Advances in Intrusion Detection. Berlin, Springer, Berlin, 2008, 98–115.

Digital Library

[47]

S.-C. Yu and Y.-C. Li. 2009. A unpacking and reconstruction system-AGUnpacker. In 2009 International Symposium on Computer Network and Multimedia Technology. 1–4.

[48]

M. N. Gagnon, S. Taylor, and A. K. Ghosh. 2007. Software protection through anti-debugging. IEEE Secur. Priv. Mag. 5, 3 (2007), 82–84.

Digital Library

[49]

P. Ferrie, S. A. Researcher, and M. Corporation. 2008. Anti-unpacker tricks. Current. 1–25.

[50]

C. V. Liţă, D. Cosovan, and D. Gavriluţ. 2018. Anti-emulation trends in modern packers: A survey on the evolution of anti-emulation techniques in UPA packers. J. Comput. Virol. Hacking Tech. 14, 2 (2018), 107–126.

[51]

E. Carrera and G. Erdélyi. 2004. Digital genome mapping. 2004.

[52]

X. Hu, T.-C. Chiueh, and K. G. Shin. 2009. Large-Scale Malware Indexing Using Function-Call Graphs * †. 2009.

[53]

A. Karnik, S. Goswami, and R. Guha. 2007. Detecting obfuscated viruses using cosine similarity analysis. In First Asia International Conference on Modelling & Simulation (AMS’07). 165–170.

Digital Library

[54]

A. Walenstein, M. Venable, M. Hayes, C. Thompson, and A. Lakhotia. Exploiting similarity between variants to defeat malware “Vilo” method for comparing and searching binary programs.

[55]

W. Fleshman, E. Raff, R. Zak, M. Mclean, and C. Nicholas. Static malware detection & subterfuge: Quantifying the robustness of machine learning and current anti-virus.

[56]

T. Abou-Assaleh, N. Cercone, V. Keselj, and R. Sweidan. 2004. N-gram-based detection of new malicious code. Proc. 28th Annu. Int. Comput. Softw. Appl. Conf. 2004. COMPSAC 2004 2 (2004), 41–42.

[57]

G. Wicherski. 2009. peHash: A novel approach to fast malware clustering. 2nd USENIX Work. Large-Scale Exploit. Emergent Threat. 2009.

[58]

O. Chum, J. Philbin, and A. Zisserman. 2008. Near duplicate image detection: Min-Hash and tf-idf weighting. In Proceedings of the British Machine Vision Conference 2008, 50, 1–50.10.

[59]

W. Jin et al. 2012. Binary function clustering using semantic hashes. In Proceedings - 2012 11th International Conference on Machine Learning and Applications, ICMLA'2012, 1, 386–391.

[60]

J. Crussell, C. Gibler, and H. Chen. 2013. Scalable semantics-based detection of similar Android applications. In Esorics 2013, 182–199.

[61]

A. Akusok, Y. Miche, J. Hegedus, R. Nian, and A. Lendasse. 2014. A two-stage methodology using K-NN and false-positive minimizing ELM for nominal data classification. Cognit. Comput. 6, 3 (2014), 432–445.

[62]

A. Tamersoy, K. Roundy, and D. H. Chau. 2014. Guilt by association. Proc. 20th ACM SIGKDD Int. Conf. Knowl. Discov. Data Min. - KDD’14. 1524–1533.

Digital Library

[63]

C. Oprisa, M. Checiches, and A. Nandrean. 2014. Locality-sensitive hashing optimizations for fast malware clustering. In Proceedings - 2014 IEEE 10th International Conference on Intelligent Computer Communication and Processing, ICCP'2014. 97–104.

[64]

Statistical Mechanics – R. K. Pathria, Paul D. Beale - Google ספרים.” [Online]. Available: https://books.google.co.il/books?id=KdbJJAXQ-RsC&printsec=frontcover&redir_esc=y&hl=iw#v=onepage&q&f=false. [Accessed: 11-Feb-2021].

[65]

I. Santos, X. Ugarte-Pedrero, B. Sanz, C. Laorden, and P. G. Bringas. 2011. Collective classification for packed executable identification. In Proceedings of the 8th Annual Collaboration, Electronic Messaging, Anti-Abuse and Spam Conference on - CEAS’11. 23–30.

Digital Library

[66]

C. Kolbitsch, P. M. Comparetti, C. Kruegel, E. Kirda, X. Zhou, and X. Wang. Effective and efficient malware detection at the end host.

[67]

Z. Tzermias, G. Sykiotakis, M. Polychronakis, and E. P. Markatos. 2011. Combining Static and Dynamic Analysis for the Detection of Malicious Documents. 2011.

[68]

D. Maiorca, I. Corona, and G. Giacinto. 2013. Looking at the Bag is not Enough to Find the Bomb: An Evasion of Structural Methods for Malicious PDF Files Detection. 2013.

[69]

F. Schmitt, J. Gassen, and E. Gerhards-Padilla. 2012. PDF scrutinizer: Detecting Javascript-based attacks in PDF documents. In 2012 Tenth Annual International Conference on Privacy, Security and Trust. 104–111.

Digital Library

[70]

X. Lu, J. Zhuge, R. Wang, Y. Cao, and Y. Chen. 2013. De-obfuscation and detection of malicious PDF files with high accuracy. In 2013 46th Hawaii International Conference on System Sciences. 4890–4899.

Digital Library

[71]

P. Royal, M. Halpin, D. Dagon, R. Edmonds, and W. Lee. 2006. PolyUnpack: Automating the hidden-code extraction of unpack-executing malware. In 2006 22nd Annual Computer Security Applications Conference (ACSAC’06). 289–300.

Digital Library

[72]

A. Cohen and N. Nissim. 2018. Trusted detection of ransomware in a private cloud using machine learning methods leveraging meta-features from volatile memory. Expert Syst. Appl. 102, 158–178.

Digital Library

[73]

N. Nissim, Y. Lapidot, A. Cohen, and Y. Elovici. 2018. Trusted system-calls analysis methodology aimed at detection of compromised virtual machines using sequential mining. Knowledge-Based Syst. 153, (2018), 147–175.

Digital Library

[74]

N. Nissim, R. Moskovitch, L. Rokach, and Y. Elovici. 2014. Novel active learning methods for enhanced PC malware detection in Windows OS. Expert Syst. Appl. 41, 13 (2014), 5843–5857.

[75]

N. Nissim, R. Moskovitch, L. Rokach, and Y. Elovici. 2012. Detecting unknown computer worm activity via support vector machines and active learning. Pattern Anal. Appl. 15, 4 (2012), 459–475.

Digital Library

[76]

A. Cohen, N. Nissim, L. Rokach, and Y. Elovici. 2016. SFEM: Structural feature extraction methodology for the detection of malicious office documents using machine learning methods. Expert Syst. Appl. 63 (2016), 324–343.

Digital Library

[77]

N. Nissim, A. Cohen, C. Glezer, and Y. Elovici. 2015. Detection of malicious PDF files and directions for enhancements: A state-of-the art survey. Comput. Secur. 48 (2015), 246–266.

Digital Library

[78]

N. Nissim, A. Cohen, and Y. Elovici. 2017. ALDOCX: Detection of unknown malicious microsoft office documents using designated active learning methods based on new structural feature extraction methodology. IEEE Trans. Inf. Forensics Secur. 12, 3 (2017), 631–646.

Digital Library

[79]

N. Nissim et al. 2016. Keeping pace with the creation of new malicious PDF files using an active-learning based detection framework. Secur. Inform. 5, 1 (2016) 1.

[80]

N. Nissim, A. Cohen, and Y. Elovici. 2016. Boosting the detection of malicious documents using designated active learning methods. Proc. - 2015 IEEE 14th Int. Conf. Mach. Learn. Appl. ICMLA 2015. 760–765.

[81]

A. Cohen, N. Nissim, and Y. Elovici. 2018. Novel set of general descriptive features for enhanced detection of malicious emails using machine learning methods. Expert Syst. Appl. 110 (2018), 143–169.

[82]

T. Ebringer, L. Sun, and S. Boztas. 2008. A fast randomness test that preserves local detail. Virus Bull. (2008), 34–42.

[83]

“PE iDentifier (PEiD) 0.95 /Binary Analysis/Editing/Downloads - Tuts 4 You.” [Online]. Available: https://tuts4you.com/e107_plugins/download/download.php?view.398. [Accessed: 11-Feb-2021].

[84]

M. G. Kang, P. Poosankam, and H. Yin. 2007. Renovo. In Proceedings of the 2007 ACM Workshop on Recurring Malcode - WORM’07. 46.

Digital Library

[85]

“Exeinfo PE 0.0.5.1 - Download.” [Online]. Available: https://exeinfo-pe.en.uptodown.com/windows. [Accessed: 11-Feb-2021].

[86]

“Exeinfo PE by A.S.L - packer - compression detector and data detector.” [Online]. Available: http://exeinfo.atwebpages.com/. [Accessed: 11-Feb-2021].

[87]

Google Code Archive - Long-term storage for Google Code Project Hosting. [Online]. Available: https://code.google.com/archive/p/fuu/. [Accessed: 21-Feb-2021].

[88]

E. Sheetrit, N. Nissim, D. Klimov, and Y. Shahar. 1983. Temporal probabilistic profiles for sepsis prediction in the ICU. In Proceedings of the 25th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining - KDD’19. 2961–2969.

[89]

J. F. Allen. 1983. Maintaining knowledge about temporal intervals. 1983.

[90]

F. Song and W. B. Croft. 1999. A general language model for information retrieval. In Proceedings of the Eighth International Conference on Information and Knowledge Management. 316–321.

[91]

S. Kullback and R. A. Leibler. 1951. On information and sufficiency. Ann. Math. Stat. 22, 1 (1951), 79–86.

[92]

Which are the Linux Executable Files, and How do We Create Them? [Online]. Available: https://www.webhostinghero.com/blog/which-are-the-linux-executable-files-and-how-do-we-create-them/. [Accessed: 11-Feb-2021].

[93]

Kesav Kancherla, John Donahue, and Srinivas Mukkamala. 2016. Packer identification using byte plot and Markov plot. J. Comput. Virol. Hacking Tech. (2016). DOI:

[94]

Yeongcheol Kim, Joon Young Paik, Seokwoo Choi, and Eun Sun Cho. 2019. Efficient SVM based packer identification with binary diffing measures. In Proceedings - International Computer Software and Applications Conference. DOI:

[95]

Byeong Ho Jung, Seong Il Bae, Chang Choi, and Eul Gyu Im. 2020. Packer identification method based on byte sequences. In Concurrency Computation. DOI:

[96]

Erik Bergenholtz, Emiliano Casalicchio, Dragos Ilie, and Andrew Moss. 2020. Detection of metamorphic malware packers using multilayered LSTM networks. In Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). DOI:

[97]

Moustafa Saleh, E. Paul Ratazzi, and Shouhuai Xu. 2017. A control flow graph-based signature for packer identification. In Proceedings - IEEE Military Communications Conference MILCOM. DOI:

[98]

Daniel Gibert, Carles Mateu, Jordi Planes, and Ramon Vicens. 2019. Using convolutional neural networks for classification of malware represented as images. J. Comput. Virol. Hacking Tech. (2019). DOI:

[99]

Fabrizio Biondi, Michael A. Enescu, Thomas Given-Wilson, Axel Legay, Lamine Noureddine, and Vivek Verma. 2019. Effective, efficient, and robust packing detection and classification. Comput. Secur. (2019). DOI:

Digital Library

[100]

Binlin Cheng and Pengwei Li. 2018. BareunPack: Generic unpacking on the bare-metal operating system. IEICE Trans. Inf. Syst. (2018). DOI:

[101]

Zhigang Zhang, Chaowen Chang, Peisheng Han, and Hongtao Zhang. 2020. Packed malware variants detection using deep belief networks. MATEC Web Conf. (2020). DOI:

[102]

Yakang Hua, Yuanzheng Du, and Dongzhi He. 2020. Classifying packed malware represented as control flow graphs using deep graph convolutional neural network. In Proceedings - 2020 International Conference on Computer Engineering and Application ICCEA'2020. DOI:

[103]

Hiromu Yakura, Shinnosuke Shinozaki, Reon Nishimura, Yoshihiro Oyama, and Jun Sakuma. 2018. Malware analysis of imaged binary samples by convolutional neural network with attention mechanism. In CODASPY 2018 - Proceedings of the 8th ACM Conference on Data and Application Security and Privacy. DOI:

[104]

Ashish Vaswani, Noam Shazeer, Niki Parmar, Jakob Uszkoreit, Llion Jones, Aidan N. Gomez, Łukasz Kaiser, and Illia Polosukhin. 2017. Attention is all you need. In Advances in Neural Information Processing Systems.

[105]

Obfuscated Files or Information: Software Packing | MITRE. Retrieved February 21, 2021 from https://attack.mitre.org/techniques/T1027/002/.

[106]

The WildList Organization International. Retrieved February 25, 2021 from http://www.wildlist.org/.

[107]

Five ways Android malware is becoming more resilient | Broadcom. Retrieved February 21, 2021 from https://www.symantec.com/connect/blogs/five-ways-android-malware-becoming-more-resilient.

[108]

Executable compression - Wikipedia. Retrieved February 21, 2021 from https://en.wikipedia.org/wiki/Executable_compression.

[109]

ImpREC - aldeid. Retrieved February 25, 2021 from https://www.aldeid.com/wiki/ImpREC.

[110]

LordPE - aldeid. Retrieved February 25, 2021 from https://www.aldeid.com/wiki/LordPE.

[111]

Cuckoo Sandbox - Automated Malware Analysis. Retrieved February 21, 2021 from https://cuckoosandbox.org/.

[112]

The Sandbox | Understanding CyberForensics. Retrieved February 25, 2021 from https://cwsandbox.org/.

[113]

Automated Malware Analysis Tool | Falcon Sandbox | CrowdStrike. Retrieved February 21, 2021 from https://www.crowdstrike.com/endpoint-security-products/falcon-sandbox-malware-analysis/.

[114]

Free Automated Malware Analysis Service - powered by Falcon Sandbox. Retrieved February 21, 2021 from https://www.hybrid-analysis.com/.

[115]

unicorn/sample_arm.c at master · unicorn-engine/unicorn. Retrieved February 21, 2021 from https://github.com/unicorn-engine/unicorn/blob/master/samples/sample_arm.c.

[116]

Hojjat Aghakhani, Fabio Gritti, Francesco Mecca, Martina Lindorfer, Stefano Ortolani, Davide Balzarotti, Giovanni Vigna, and Christopher Kruegel. 2020. When malware is packin’ heat; Limits of machine learning classifiers based on static analysis features. DOI:

[117]

W. Yan, Z. Zhang, and N. Ansari. 2008. Revealing packed malware. In IEEE Security & Privacy 6, 5 (2008), 65–69, DOI:

Digital Library

[118]

Debra A. Lelewer and Daniel S. Hirschberg. 1987. Data compression. ACM Comput. Surv. 19, 3 (1987), 261–296. DOI:

Digital Library

[119]

David A. Huffman. 1952. A method for the construction of minimum-redundancy codes. Proceedings of the IRE 40, 9 (1952), 1098–1101.

[120]

Threat Actors Use Delphi Packer to Shield Binaries From Malware Classification. Retrieved November 11, 2021 from https://securityintelligence.com/news/threat-actors-use-delphi-packer-to-shield-binaries-from-malware-classification/.

[121]

Nir Nissim et al. 2019. Sec-lib: Protecting scholarly digital libraries from infected papers using active machine learning framework. IEEE Access 7 (2019), 110050–110073.

[122]

Aviad Cohen, Nir Nissim, and Yuval Elovici. 2020. MalJPEG: Machine learning based solution for the detection of malicious JPEG images. IEEE Access 8 (2020), 19997–20011.

[123]

Nir Nissim et al. 2014. ALPD: Active learning framework for enhancing the detection of malicious pdf files. 2014 IEEE Joint Intelligence and Security Informatics Conference. IEEE, 2014.

Digital Library

[124]

E. M. Rudd, R. Harang, and J. Saxe. 2018. MEADE: Towards a malicious email attachment detection engine. 2018 IEEE Int. Symp. Technol. Homel. Secur. HST'2018. 1–7. DOI:

[125]

S. Shukla, G. Kolhe, S. M. Pd, and S. Rafatirad. 2019. RNN-Based classifier to detect stealthy malware using localized features and complex symbolic sequence. Proc. - 18th IEEE Int. Conf. Mach. Learn. Appl. ICMLA'2019. 406–409. DOI:

[126]

M. Li, Y. Liu, M. Yu, G. Li, Y. Wang, and C. Liu. 2017. FEPDF: A robust feature extractor for malicious PDF detection. 2017 IEEE Trustcom/BigDataSE/ICESS.

[127]

GitHub - NtQuery/Scylla: Imports Reconstructor. Retrieved March 7, 2022 from https://github.com/NtQuery/Scylla.

[128]

Alessandro Mantovani, Simone Aonzo, Xabier Ugarte-Pedrero, Alessio Merlo, and Davide Balzarotti. Prevalence and impact of low-entropy packing schemes in the malware ecosystem. DOI:

Cited By

Zhang YLuo SWu HPan L(2024)Antibypassing Four-Stage Dynamic Behavior Modeling for Time-Efficient Evasive Malware DetectionIEEE Transactions on Industrial Informatics10.1109/TII.2023.332752220:3(4627-4639)Online publication date: Mar-2024
https://doi.org/10.1109/TII.2023.3327522
Tian BJiang JHe ZYuan XDong LSun C(2024)Functionality-Verification Attack Framework Based on Reinforcement Learning Against Static Malware DetectorsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.345304719(8500-8514)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3453047
De La Cruz Alvarado APortillo S(2024)Understanding Crypter-as-a-Service in a Popular Underground Marketplace2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW61312.2024.00016(85-90)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSPW61312.2024.00016
Show More Cited By

Index Terms

File Packing from the Malware Perspective: Techniques, Analysis Approaches, and Directions for Enhancements
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Malware and its mitigation

Recommendations

Malware Dynamic Analysis Evasion Techniques: A Survey

The cyber world is plagued with ever-evolving malware that readily infiltrate all defense mechanisms, operate viciously unbeknownst to the user, and surreptitiously exfiltrate sensitive data. Understanding the inner workings of such malware provides a ...
Revealing Packed Malware

In concert with the ever-growing network applications, a significant increase in the spread of malware over the Internet has been observed. In cases where malware are the zero-day threats, generating their signatures for detection via anti-virus (AV) ...
Obfuscation: The Hidden Malware

A cyberwar exists between malware writers and antimalware researchers. At this war's heart rages a weapons race that originated in the 80s with the first computer virus. Obfuscation is one of the latest strategies to camouflage the telltale signs of ...

Comments

Information & Contributors

Information

Published In

cover image ACM Computing Surveys

ACM Computing Surveys Volume 55, Issue 5

May 2023

810 pages

ISSN:0360-0300

EISSN:1557-7341

DOI:10.1145/3567470

Editor:
Albert Zomaya
University of Sydney, Australia

Issue’s Table of Contents

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 December 2022

Online AM: 24 May 2022

Accepted: 06 April 2022

Revised: 12 March 2022

Received: 22 March 2021

Published in CSUR Volume 55, Issue 5

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Survey
Refereed

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

16
Total Citations
View Citations
2,002
Total Downloads

Downloads (Last 12 months)767
Downloads (Last 6 weeks)67

Reflects downloads up to 23 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Zhang YLuo SWu HPan L(2024)Antibypassing Four-Stage Dynamic Behavior Modeling for Time-Efficient Evasive Malware DetectionIEEE Transactions on Industrial Informatics10.1109/TII.2023.332752220:3(4627-4639)Online publication date: Mar-2024
https://doi.org/10.1109/TII.2023.3327522
Tian BJiang JHe ZYuan XDong LSun C(2024)Functionality-Verification Attack Framework Based on Reinforcement Learning Against Static Malware DetectorsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.345304719(8500-8514)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3453047
De La Cruz Alvarado APortillo S(2024)Understanding Crypter-as-a-Service in a Popular Underground Marketplace2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW61312.2024.00016(85-90)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSPW61312.2024.00016
Khan FDurad MKhan AKhan FRizwan MAli A(2024)Design and Performance Analysis of an Anti-Malware System Based on Generative Adversarial Network FrameworkIEEE Access10.1109/ACCESS.2024.335845412(27683-27708)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3358454
Patsakis CCasino FLykousas N(2024)Assessing LLMs in malicious code deobfuscation of real-world malware campaignsExpert Systems with Applications10.1016/j.eswa.2024.124912(124912)Online publication date: Jul-2024
https://doi.org/10.1016/j.eswa.2024.124912
Li QZhang BTian DJia XHu C(2024)MDGraph: A novel malware detection method based on memory dump and graph neural networkExpert Systems with Applications10.1016/j.eswa.2024.124776255(124776)Online publication date: Dec-2024
https://doi.org/10.1016/j.eswa.2024.124776
Veroneze RBertrand Van Ouytsel CDam KLegay A(2024)Feature selection for packer classification based on association rule miningEngineering Applications of Artificial Intelligence10.1016/j.engappai.2024.109083137(109083)Online publication date: Nov-2024
https://doi.org/10.1016/j.engappai.2024.109083
S RRamesh GNair A(2024)MAGICComputers and Security10.1016/j.cose.2024.103735139:COnline publication date: 16-May-2024
https://dl.acm.org/doi/10.1016/j.cose.2024.103735
Geng JWang JFang ZZhou YWu DGe W(2024)A survey of strategy-driven evasion methods for PE malwareComputers and Security10.1016/j.cose.2023.103595137:COnline publication date: 12-Apr-2024
https://dl.acm.org/doi/10.1016/j.cose.2023.103595
Bertrand Van Ouytsel CDam KLegay A(2024)Analysis of machine learning approaches to packing detectionComputers & Security10.1016/j.cose.2023.103536136(103536)Online publication date: Jan-2024
https://doi.org/10.1016/j.cose.2023.103536
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Full Text

View this article in Full Text.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View full text|Download PDF

View Issue’s Table of Contents