skip to main content
survey

File Packing from the Malware Perspective: Techniques, Analysis Approaches, and Directions for Enhancements

Published: 03 December 2022 Publication History

Abstract

With the growing sophistication of malware, the need to devise improved malware detection schemes is crucial. The packing of executable files, which is one of the most common techniques for code protection, has been repurposed for code obfuscation by malware authors as a means of evading malware detectors (mainly static analysis-based detectors). This paper provides statistics on the use of packers based on an extensive analysis of 24,000 PE files (both malicious and benign files) for the past 10 years, which allowed us to observe trends in packing use during that time and showed that packing is still widely used in malware. This paper then surveys 23 methods proposed in academic research for the detection and classification of packed portable executable (PE) files and highlights various trends in malware packing. The paper highlights the differences between the methods and their abilities to detect and identify various aspects of packing. A taxonomy is presented, classifying the methods as static, dynamic, and hybrid analysis-based methods. The paper also sheds light on the increasing role of machine learning methods in the development of modern packing detection methods. We analyzed and mapped the different packing methods and identified which of them can be countered by the detection methods surveyed in this paper.

References

[1]
M. Bat-Erdene, T. Kim, H. Li, and H. Lee. 2013. Dynamic classification of packing algorithms for inspecting executables using entropy analysis. Proc. 2013 8th Int. Conf. Malicious Unwanted Softw. The Am. MALWARE 2013. 19–26.
[2]
M. M. K. Al-Zanei. 2014. Generic packing detection using several complexity analysis for accurate malware detection 5, 1 (2014), 7–14.
[3]
L. Sun, S. Versteeg, S. Boztaş, and T. Yann. 2010. Pattern Recognition Techniques for the Classification of Malware Packers. Springer, Berlin, 2010, 370–390.
[4]
D.-I. M. Morgenstern and H. Pilz. Useful and useless statistics about viruses and anti-virus programs.
[5]
Peter Ferrie, Senior Anti-virus Researcher, and Microsoft Corporation. 2008. Anti-unpacker tricks. Current (2008).
[6]
M. Bat-Erdene, T. Kim, H. Park, and H. Lee. 2017. Packer detection for multi-layer executables using entropy analysis. Entropy 19, 3 (2017), 1–18.
[7]
W. Yan, Z. Zhang, and N. Ansari. 2008. Revealing packed malware. IEEE Secur. Priv. Mag. 6, 5 (2008), 65–69.
[8]
M.-J. Kim et al. 2010. Design and performance evaluation of binary code packing for protecting embedded software against reverse engineering. In 2010 13th IEEE International Symposium on Object/Component/Service-Oriented Real-Time Distributed Computing 2010, 80–86.
[9]
Y. Choi, I. Kim, J. Oh, and J. Ryou. 2008. PE file header analysis-based packed PE file detection technique (PHAD). In International Symposium on Computer Science and its Applications 2008. 28–31.
[10]
R. Perdisci, A. Lanzi, and W. Lee. 2008. Classification of packed executables for accurate computer virus detection. Pattern Recognit. Lett. 29, 14 (2008), 1941–1946.
[11]
PE Format | Microsoft Docs. [Online]. Available: https://docs.microsoft.com/en-us/windows/desktop/debug/pe-format. [Accessed: 04-Feb-2021].
[12]
D. Devi and S. Nandi. 2012. PE file features in detection of packed executables. Entropy 4, 3 (2012), 476–478.
[13]
M. Sikorski and A. Honig. 2012. Practical malware analysis: The hands-on guide to dissecting malicious software. No Starch Press.
[14]
L. Sun, S. Versteeg, S. Boztaş, and T. Yann. 2010, July. Pattern recognition techniques for the classification of malware packers. In Australasian Conference on Information Security and Privacy. Springer, Berlin, Heidelberg, 370–390.
[15]
D. M. Abhi Gupta and Akshi S. Arya. 2018. Hashing Base Ed Encryption N And Anti-Deb Bugger Suppor Rt For Packing Multiple Fi Es Into Sing E Executable (2018), 96–99.
[16]
“I Executable and Linkable Format (ELF).”
[17]
K. Muhammad and H. Zahid. 2015. ITEE Journal. ITEE J. 4, 4 (2015), 1–5.
[18]
M. Hassnain and A. Abbas. 2017. ITEE Journal. Int. J. Inf. Technol. Electr. Eng. 6, 1 (2017), 10–16.
[19]
M. Bat-Erdene, H. Park, H. Li, H. Lee, and M.-S. Choi. 2017. Entropy analysis to classify unknown packing algorithms for malware detection. Int. J. Inf. Secur. 16, 3 (2017), 227–248.
[20]
B. Li, Y. Zhang, J. Li, W. Yang, and D. Gu. 2018. AppSpear: Automating the hidden-code extraction and reassembling of packed Android malware. J. Syst. Softw. 140 (2018), 3–16.
[21]
R. Lyda and J. Hamrock. 2007. Using entropy analysis to find encrypted and packed malware. IEEE Secur. Priv. Mag. 5, 2 (2007), 40–45.
[22]
G. Jacob, P. M. Comparetti, M. Neugschwandtner, C. Kruegel, and G. Vigna. 2013. A static, packer-agnostic filter to detect similar malware samples. In Proceedings of the 9th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer-Verlag, 2013, 102–122.
[23]
J. Zhang, K. Zhang, Z. Qin, H. Yin, and Q. Wu. 2018. Sensitive system calls based packed malware variants detection using principal component initialized multilayers neural networks. 1–13.
[24]
Entropy and the distinctive signs of packed PE files. | NTinfo. [Online]. Available: http://n10info.blogspot.com/2014/06/entropy-and-distinctive-signs-of-packed.html. [Accessed: 04-Feb-2021].
[25]
I. J. Good, T. N. Gover, and G. J. Mitchell. 1970. Exact distributions for X 2 and for the likelihood-ratio statistic for the equiprobable multinomial distribution. 1970.
[26]
B. Cheng et al. 2018. Towards paving the way for large-scale windows malware analysis. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security - CCS ’18. 395–411.
[27]
X. Ugarte-Pedrero, D. Balzarotti, I. Santos, and P. G. Bringas. 2015. SoK: Deep packer inspection: A longitudinal study of the complexity of run-time packers. In 2015 IEEE Symposium on Security and Privacy. 659–673.
[28]
G. Bonfante et al. 2015. CoDisasm: Medium scale concatic disassembly of self-modifying binaries with overlapping instructions. 2015.
[29]
D. Bueno, K. J. Compton, K. A. Sakallah, and M. Bailey. Detecting traditional packers, decisively.
[30]
S. Cesare, Y. Xiang, and W. Zhou. 2013. Malwise—an effective and efficient classification system for packed and polymorphic malware. IEEE Trans. Comput. 62, 6 (2013), 1193–1206.
[31]
Ang Li, Yue Zhang, Junxing Zhang, and Gang Zhu. 2015. A token strengthened encryption packer to prevent reverse engineering PE files. In 2015 International Conference on Estimation, Detection and Information Fusion (ICEDIF'15). 307–312.
[32]
L. Bilge, A. Lanzi, and D. Balzarotti. Thwarting real-time dynamic unpacking.
[33]
J. Křoustek, P. Matula, D. Kolář, and M. Zavoral. Advanced preprocessing of binary executable files and its usage in retargetable decompilation.
[34]
L. Durfina, J. Kroustek, and P. Zemek. 2013. PsybOt malware: A step-by-step decompilation case study. In 2013 20th Working Conference on Reverse Engineering (WCRE'13). 449–456.
[35]
J. R. Levine. 2000. Linkers and Loaders. Morgan Kaufmann.
[36]
E. Cozzi, M. Graziano, Y. Fratantonio, and D. Balzarotti. 2018. Understanding Linux malware. Proc. - IEEE Symp. Secur. Priv. 2018-May, 161–175.
[37]
K. A. Roundy and B. P. Miller. 2013. Binary-code obfuscations in prevalent packer tools. ACM Comput. Surv. 46, 1 (2013), 1–32.
[38]
UPX: the Ultimate Packer for eXecutables - Homepage. [Online]. Available: https://upx.github.io/. [Accessed: 10-Feb-2021].
[39]
H. D. Menéndez, S. Bhattacharya, D. Clark, and E. T. Barr. 2019. The arms race: Adversarial search defeats entropy used to detect malware. Expert Syst. Appl. 118 (2019), 246–260.
[40]
Manual Unpacking of UPX Packed Binary File - www.SecurityXploded.com. [Online]. Available: https://securityxploded.com/unpackingupx.php. [Accessed: 10-Feb-2021].
[41]
Unpacking, Reversing, Patching. [Online]. Available: https://resources.infosecinstitute.com/unpacking-reversing-patching/#gref. [Accessed: 11-Feb-2021].
[42]
Oreans Technology: Software Security Defined. [Online]. Available: https://www.oreans.com/themida.php. [Accessed: 11-Feb-2021].
[43]
K. Coogan, S. Debray, T. Kaochar, and G. Townsend. 2009. Automatic static unpacking of malware binaries. In 2009 16th Working Conference on Reverse Engineering 2009, 167–176.
[44]
E. O. Osaghae. 2016. Classifying packed programs as malicious software detected 2016.
[45]
L. Bohne. 2009. Pandora's Bochs: Automatic Unpacking of Malware 121, 2009.
[46]
F. Guo, P. Ferrie, and T. Chiueh. 2008. A study of the packer problem and its solutions. In Recent Advances in Intrusion Detection. Berlin, Springer, Berlin, 2008, 98–115.
[47]
S.-C. Yu and Y.-C. Li. 2009. A unpacking and reconstruction system-AGUnpacker. In 2009 International Symposium on Computer Network and Multimedia Technology. 1–4.
[48]
M. N. Gagnon, S. Taylor, and A. K. Ghosh. 2007. Software protection through anti-debugging. IEEE Secur. Priv. Mag. 5, 3 (2007), 82–84.
[49]
P. Ferrie, S. A. Researcher, and M. Corporation. 2008. Anti-unpacker tricks. Current. 1–25.
[50]
C. V. Liţă, D. Cosovan, and D. Gavriluţ. 2018. Anti-emulation trends in modern packers: A survey on the evolution of anti-emulation techniques in UPA packers. J. Comput. Virol. Hacking Tech. 14, 2 (2018), 107–126.
[51]
E. Carrera and G. Erdélyi. 2004. Digital genome mapping. 2004.
[52]
X. Hu, T.-C. Chiueh, and K. G. Shin. 2009. Large-Scale Malware Indexing Using Function-Call Graphs * †. 2009.
[53]
A. Karnik, S. Goswami, and R. Guha. 2007. Detecting obfuscated viruses using cosine similarity analysis. In First Asia International Conference on Modelling & Simulation (AMS’07). 165–170.
[54]
A. Walenstein, M. Venable, M. Hayes, C. Thompson, and A. Lakhotia. Exploiting similarity between variants to defeat malware “Vilo” method for comparing and searching binary programs.
[55]
W. Fleshman, E. Raff, R. Zak, M. Mclean, and C. Nicholas. Static malware detection & subterfuge: Quantifying the robustness of machine learning and current anti-virus.
[56]
T. Abou-Assaleh, N. Cercone, V. Keselj, and R. Sweidan. 2004. N-gram-based detection of new malicious code. Proc. 28th Annu. Int. Comput. Softw. Appl. Conf. 2004. COMPSAC 2004 2 (2004), 41–42.
[57]
G. Wicherski. 2009. peHash: A novel approach to fast malware clustering. 2nd USENIX Work. Large-Scale Exploit. Emergent Threat. 2009.
[58]
O. Chum, J. Philbin, and A. Zisserman. 2008. Near duplicate image detection: Min-Hash and tf-idf weighting. In Proceedings of the British Machine Vision Conference 2008, 50, 1–50.10.
[59]
W. Jin et al. 2012. Binary function clustering using semantic hashes. In Proceedings - 2012 11th International Conference on Machine Learning and Applications, ICMLA'2012, 1, 386–391.
[60]
J. Crussell, C. Gibler, and H. Chen. 2013. Scalable semantics-based detection of similar Android applications. In Esorics 2013, 182–199.
[61]
A. Akusok, Y. Miche, J. Hegedus, R. Nian, and A. Lendasse. 2014. A two-stage methodology using K-NN and false-positive minimizing ELM for nominal data classification. Cognit. Comput. 6, 3 (2014), 432–445.
[62]
A. Tamersoy, K. Roundy, and D. H. Chau. 2014. Guilt by association. Proc. 20th ACM SIGKDD Int. Conf. Knowl. Discov. Data Min. - KDD’14. 1524–1533.
[63]
C. Oprisa, M. Checiches, and A. Nandrean. 2014. Locality-sensitive hashing optimizations for fast malware clustering. In Proceedings - 2014 IEEE 10th International Conference on Intelligent Computer Communication and Processing, ICCP'2014. 97–104.
[64]
Statistical Mechanics – R. K. Pathria, Paul D. Beale - Google ספרים.” [Online]. Available: https://books.google.co.il/books?id=KdbJJAXQ-RsC&printsec=frontcover&redir_esc=y&hl=iw#v=onepage&q&f=false. [Accessed: 11-Feb-2021].
[65]
I. Santos, X. Ugarte-Pedrero, B. Sanz, C. Laorden, and P. G. Bringas. 2011. Collective classification for packed executable identification. In Proceedings of the 8th Annual Collaboration, Electronic Messaging, Anti-Abuse and Spam Conference on - CEAS’11. 23–30.
[66]
C. Kolbitsch, P. M. Comparetti, C. Kruegel, E. Kirda, X. Zhou, and X. Wang. Effective and efficient malware detection at the end host.
[67]
Z. Tzermias, G. Sykiotakis, M. Polychronakis, and E. P. Markatos. 2011. Combining Static and Dynamic Analysis for the Detection of Malicious Documents. 2011.
[68]
D. Maiorca, I. Corona, and G. Giacinto. 2013. Looking at the Bag is not Enough to Find the Bomb: An Evasion of Structural Methods for Malicious PDF Files Detection. 2013.
[69]
F. Schmitt, J. Gassen, and E. Gerhards-Padilla. 2012. PDF scrutinizer: Detecting Javascript-based attacks in PDF documents. In 2012 Tenth Annual International Conference on Privacy, Security and Trust. 104–111.
[70]
X. Lu, J. Zhuge, R. Wang, Y. Cao, and Y. Chen. 2013. De-obfuscation and detection of malicious PDF files with high accuracy. In 2013 46th Hawaii International Conference on System Sciences. 4890–4899.
[71]
P. Royal, M. Halpin, D. Dagon, R. Edmonds, and W. Lee. 2006. PolyUnpack: Automating the hidden-code extraction of unpack-executing malware. In 2006 22nd Annual Computer Security Applications Conference (ACSAC’06). 289–300.
[72]
A. Cohen and N. Nissim. 2018. Trusted detection of ransomware in a private cloud using machine learning methods leveraging meta-features from volatile memory. Expert Syst. Appl. 102, 158–178.
[73]
N. Nissim, Y. Lapidot, A. Cohen, and Y. Elovici. 2018. Trusted system-calls analysis methodology aimed at detection of compromised virtual machines using sequential mining. Knowledge-Based Syst. 153, (2018), 147–175.
[74]
N. Nissim, R. Moskovitch, L. Rokach, and Y. Elovici. 2014. Novel active learning methods for enhanced PC malware detection in Windows OS. Expert Syst. Appl. 41, 13 (2014), 5843–5857.
[75]
N. Nissim, R. Moskovitch, L. Rokach, and Y. Elovici. 2012. Detecting unknown computer worm activity via support vector machines and active learning. Pattern Anal. Appl. 15, 4 (2012), 459–475.
[76]
A. Cohen, N. Nissim, L. Rokach, and Y. Elovici. 2016. SFEM: Structural feature extraction methodology for the detection of malicious office documents using machine learning methods. Expert Syst. Appl. 63 (2016), 324–343.
[77]
N. Nissim, A. Cohen, C. Glezer, and Y. Elovici. 2015. Detection of malicious PDF files and directions for enhancements: A state-of-the art survey. Comput. Secur. 48 (2015), 246–266.
[78]
N. Nissim, A. Cohen, and Y. Elovici. 2017. ALDOCX: Detection of unknown malicious microsoft office documents using designated active learning methods based on new structural feature extraction methodology. IEEE Trans. Inf. Forensics Secur. 12, 3 (2017), 631–646.
[79]
N. Nissim et al. 2016. Keeping pace with the creation of new malicious PDF files using an active-learning based detection framework. Secur. Inform. 5, 1 (2016) 1.
[80]
N. Nissim, A. Cohen, and Y. Elovici. 2016. Boosting the detection of malicious documents using designated active learning methods. Proc. - 2015 IEEE 14th Int. Conf. Mach. Learn. Appl. ICMLA 2015. 760–765.
[81]
A. Cohen, N. Nissim, and Y. Elovici. 2018. Novel set of general descriptive features for enhanced detection of malicious emails using machine learning methods. Expert Syst. Appl. 110 (2018), 143–169.
[82]
T. Ebringer, L. Sun, and S. Boztas. 2008. A fast randomness test that preserves local detail. Virus Bull. (2008), 34–42.
[83]
“PE iDentifier (PEiD) 0.95 /Binary Analysis/Editing/Downloads - Tuts 4 You.” [Online]. Available: https://tuts4you.com/e107_plugins/download/download.php?view.398. [Accessed: 11-Feb-2021].
[84]
M. G. Kang, P. Poosankam, and H. Yin. 2007. Renovo. In Proceedings of the 2007 ACM Workshop on Recurring Malcode - WORM’07. 46.
[85]
“Exeinfo PE 0.0.5.1 - Download.” [Online]. Available: https://exeinfo-pe.en.uptodown.com/windows. [Accessed: 11-Feb-2021].
[86]
“Exeinfo PE by A.S.L - packer - compression detector and data detector.” [Online]. Available: http://exeinfo.atwebpages.com/. [Accessed: 11-Feb-2021].
[87]
Google Code Archive - Long-term storage for Google Code Project Hosting. [Online]. Available: https://code.google.com/archive/p/fuu/. [Accessed: 21-Feb-2021].
[88]
E. Sheetrit, N. Nissim, D. Klimov, and Y. Shahar. 1983. Temporal probabilistic profiles for sepsis prediction in the ICU. In Proceedings of the 25th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining - KDD’19. 2961–2969.
[89]
J. F. Allen. 1983. Maintaining knowledge about temporal intervals. 1983.
[90]
F. Song and W. B. Croft. 1999. A general language model for information retrieval. In Proceedings of the Eighth International Conference on Information and Knowledge Management. 316–321.
[91]
S. Kullback and R. A. Leibler. 1951. On information and sufficiency. Ann. Math. Stat. 22, 1 (1951), 79–86.
[92]
Which are the Linux Executable Files, and How do We Create Them? [Online]. Available: https://www.webhostinghero.com/blog/which-are-the-linux-executable-files-and-how-do-we-create-them/. [Accessed: 11-Feb-2021].
[93]
Kesav Kancherla, John Donahue, and Srinivas Mukkamala. 2016. Packer identification using byte plot and Markov plot. J. Comput. Virol. Hacking Tech. (2016). DOI:
[94]
Yeongcheol Kim, Joon Young Paik, Seokwoo Choi, and Eun Sun Cho. 2019. Efficient SVM based packer identification with binary diffing measures. In Proceedings - International Computer Software and Applications Conference. DOI:
[95]
Byeong Ho Jung, Seong Il Bae, Chang Choi, and Eul Gyu Im. 2020. Packer identification method based on byte sequences. In Concurrency Computation. DOI:
[96]
Erik Bergenholtz, Emiliano Casalicchio, Dragos Ilie, and Andrew Moss. 2020. Detection of metamorphic malware packers using multilayered LSTM networks. In Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). DOI:
[97]
Moustafa Saleh, E. Paul Ratazzi, and Shouhuai Xu. 2017. A control flow graph-based signature for packer identification. In Proceedings - IEEE Military Communications Conference MILCOM. DOI:
[98]
Daniel Gibert, Carles Mateu, Jordi Planes, and Ramon Vicens. 2019. Using convolutional neural networks for classification of malware represented as images. J. Comput. Virol. Hacking Tech. (2019). DOI:
[99]
Fabrizio Biondi, Michael A. Enescu, Thomas Given-Wilson, Axel Legay, Lamine Noureddine, and Vivek Verma. 2019. Effective, efficient, and robust packing detection and classification. Comput. Secur. (2019). DOI:
[100]
Binlin Cheng and Pengwei Li. 2018. BareunPack: Generic unpacking on the bare-metal operating system. IEICE Trans. Inf. Syst. (2018). DOI:
[101]
Zhigang Zhang, Chaowen Chang, Peisheng Han, and Hongtao Zhang. 2020. Packed malware variants detection using deep belief networks. MATEC Web Conf. (2020). DOI:
[102]
Yakang Hua, Yuanzheng Du, and Dongzhi He. 2020. Classifying packed malware represented as control flow graphs using deep graph convolutional neural network. In Proceedings - 2020 International Conference on Computer Engineering and Application ICCEA'2020. DOI:
[103]
Hiromu Yakura, Shinnosuke Shinozaki, Reon Nishimura, Yoshihiro Oyama, and Jun Sakuma. 2018. Malware analysis of imaged binary samples by convolutional neural network with attention mechanism. In CODASPY 2018 - Proceedings of the 8th ACM Conference on Data and Application Security and Privacy. DOI:
[104]
Ashish Vaswani, Noam Shazeer, Niki Parmar, Jakob Uszkoreit, Llion Jones, Aidan N. Gomez, Łukasz Kaiser, and Illia Polosukhin. 2017. Attention is all you need. In Advances in Neural Information Processing Systems.
[105]
Obfuscated Files or Information: Software Packing | MITRE. Retrieved February 21, 2021 from https://attack.mitre.org/techniques/T1027/002/.
[106]
The WildList Organization International. Retrieved February 25, 2021 from http://www.wildlist.org/.
[107]
Five ways Android malware is becoming more resilient | Broadcom. Retrieved February 21, 2021 from https://www.symantec.com/connect/blogs/five-ways-android-malware-becoming-more-resilient.
[108]
Executable compression - Wikipedia. Retrieved February 21, 2021 from https://en.wikipedia.org/wiki/Executable_compression.
[109]
ImpREC - aldeid. Retrieved February 25, 2021 from https://www.aldeid.com/wiki/ImpREC.
[110]
LordPE - aldeid. Retrieved February 25, 2021 from https://www.aldeid.com/wiki/LordPE.
[111]
Cuckoo Sandbox - Automated Malware Analysis. Retrieved February 21, 2021 from https://cuckoosandbox.org/.
[112]
The Sandbox | Understanding CyberForensics. Retrieved February 25, 2021 from https://cwsandbox.org/.
[113]
Automated Malware Analysis Tool | Falcon Sandbox | CrowdStrike. Retrieved February 21, 2021 from https://www.crowdstrike.com/endpoint-security-products/falcon-sandbox-malware-analysis/.
[114]
Free Automated Malware Analysis Service - powered by Falcon Sandbox. Retrieved February 21, 2021 from https://www.hybrid-analysis.com/.
[115]
unicorn/sample_arm.c at master · unicorn-engine/unicorn. Retrieved February 21, 2021 from https://github.com/unicorn-engine/unicorn/blob/master/samples/sample_arm.c.
[116]
Hojjat Aghakhani, Fabio Gritti, Francesco Mecca, Martina Lindorfer, Stefano Ortolani, Davide Balzarotti, Giovanni Vigna, and Christopher Kruegel. 2020. When malware is packin’ heat; Limits of machine learning classifiers based on static analysis features. DOI:
[117]
W. Yan, Z. Zhang, and N. Ansari. 2008. Revealing packed malware. In IEEE Security & Privacy 6, 5 (2008), 65–69, DOI:
[118]
Debra A. Lelewer and Daniel S. Hirschberg. 1987. Data compression. ACM Comput. Surv. 19, 3 (1987), 261–296. DOI:
[119]
David A. Huffman. 1952. A method for the construction of minimum-redundancy codes. Proceedings of the IRE 40, 9 (1952), 1098–1101.
[120]
Threat Actors Use Delphi Packer to Shield Binaries From Malware Classification. Retrieved November 11, 2021 from https://securityintelligence.com/news/threat-actors-use-delphi-packer-to-shield-binaries-from-malware-classification/.
[121]
Nir Nissim et al. 2019. Sec-lib: Protecting scholarly digital libraries from infected papers using active machine learning framework. IEEE Access 7 (2019), 110050–110073.
[122]
Aviad Cohen, Nir Nissim, and Yuval Elovici. 2020. MalJPEG: Machine learning based solution for the detection of malicious JPEG images. IEEE Access 8 (2020), 19997–20011.
[123]
Nir Nissim et al. 2014. ALPD: Active learning framework for enhancing the detection of malicious pdf files. 2014 IEEE Joint Intelligence and Security Informatics Conference. IEEE, 2014.
[124]
E. M. Rudd, R. Harang, and J. Saxe. 2018. MEADE: Towards a malicious email attachment detection engine. 2018 IEEE Int. Symp. Technol. Homel. Secur. HST'2018. 1–7. DOI:
[125]
S. Shukla, G. Kolhe, S. M. Pd, and S. Rafatirad. 2019. RNN-Based classifier to detect stealthy malware using localized features and complex symbolic sequence. Proc. - 18th IEEE Int. Conf. Mach. Learn. Appl. ICMLA'2019. 406–409. DOI:
[126]
M. Li, Y. Liu, M. Yu, G. Li, Y. Wang, and C. Liu. 2017. FEPDF: A robust feature extractor for malicious PDF detection. 2017 IEEE Trustcom/BigDataSE/ICESS.
[127]
GitHub - NtQuery/Scylla: Imports Reconstructor. Retrieved March 7, 2022 from https://github.com/NtQuery/Scylla.
[128]
Alessandro Mantovani, Simone Aonzo, Xabier Ugarte-Pedrero, Alessio Merlo, and Davide Balzarotti. Prevalence and impact of low-entropy packing schemes in the malware ecosystem. DOI:

Cited By

View all
  • (2024)Antibypassing Four-Stage Dynamic Behavior Modeling for Time-Efficient Evasive Malware DetectionIEEE Transactions on Industrial Informatics10.1109/TII.2023.332752220:3(4627-4639)Online publication date: Mar-2024
  • (2024)Functionality-Verification Attack Framework Based on Reinforcement Learning Against Static Malware DetectorsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.345304719(8500-8514)Online publication date: 2024
  • (2024)Understanding Crypter-as-a-Service in a Popular Underground Marketplace2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW61312.2024.00016(85-90)Online publication date: 8-Jul-2024
  • Show More Cited By

Index Terms

  1. File Packing from the Malware Perspective: Techniques, Analysis Approaches, and Directions for Enhancements

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Computing Surveys
    ACM Computing Surveys  Volume 55, Issue 5
    May 2023
    810 pages
    ISSN:0360-0300
    EISSN:1557-7341
    DOI:10.1145/3567470
    Issue’s Table of Contents

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 03 December 2022
    Online AM: 24 May 2022
    Accepted: 06 April 2022
    Revised: 12 March 2022
    Received: 22 March 2021
    Published in CSUR Volume 55, Issue 5

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. Packing
    2. packer
    3. identification
    4. analysis
    5. detection
    6. malware
    7. PE file

    Qualifiers

    • Survey
    • Refereed

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)767
    • Downloads (Last 6 weeks)67
    Reflects downloads up to 23 Sep 2024

    Other Metrics

    Citations

    Cited By

    View all
    • (2024)Antibypassing Four-Stage Dynamic Behavior Modeling for Time-Efficient Evasive Malware DetectionIEEE Transactions on Industrial Informatics10.1109/TII.2023.332752220:3(4627-4639)Online publication date: Mar-2024
    • (2024)Functionality-Verification Attack Framework Based on Reinforcement Learning Against Static Malware DetectorsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.345304719(8500-8514)Online publication date: 2024
    • (2024)Understanding Crypter-as-a-Service in a Popular Underground Marketplace2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW61312.2024.00016(85-90)Online publication date: 8-Jul-2024
    • (2024)Design and Performance Analysis of an Anti-Malware System Based on Generative Adversarial Network FrameworkIEEE Access10.1109/ACCESS.2024.335845412(27683-27708)Online publication date: 2024
    • (2024)Assessing LLMs in malicious code deobfuscation of real-world malware campaignsExpert Systems with Applications10.1016/j.eswa.2024.124912(124912)Online publication date: Jul-2024
    • (2024)MDGraph: A novel malware detection method based on memory dump and graph neural networkExpert Systems with Applications10.1016/j.eswa.2024.124776255(124776)Online publication date: Dec-2024
    • (2024)Feature selection for packer classification based on association rule miningEngineering Applications of Artificial Intelligence10.1016/j.engappai.2024.109083137(109083)Online publication date: Nov-2024
    • (2024)MAGICComputers and Security10.1016/j.cose.2024.103735139:COnline publication date: 16-May-2024
    • (2024)A survey of strategy-driven evasion methods for PE malwareComputers and Security10.1016/j.cose.2023.103595137:COnline publication date: 12-Apr-2024
    • (2024)Analysis of machine learning approaches to packing detectionComputers & Security10.1016/j.cose.2023.103536136(103536)Online publication date: Jan-2024
    • Show More Cited By

    View Options

    Get Access

    Login options

    Full Access

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Full Text

    View this article in Full Text.

    Full Text

    HTML Format

    View this article in HTML Format.

    HTML Format

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media