Article

PolyPack: an automated online packing service for optimal antivirus evasion

Authors:

Michael Bailey,

Farnam JahanianAuthors Info & Claims

WOOT'09: Proceedings of the 3rd USENIX conference on Offensive technologies

Page 9

Published: 10 August 2009 Publication History

Abstract

Packers have long been a valuable tool in the toolbox of offensive users for evading the detection capabilities of signature-based antivirus engines. However, selecting the packer that results in the most effective evasion of antivirus engines may not be a trivial task due to diversity in the capabilities of both antivirus and packers. In this paper, we propose the creation of an online automated service, called PolyPack, that uses an array of packers and antivirus engines as a feedback mechanism to select the packer that will result in the optimal evasion of the antivirus engines. Towards understanding the utility and efficacy of such a service, we construct an implementation of PolyPack which employs 10 packers and 10 popular antivirus engines. We show that PolyPack provides 258% more effective evasion of antivirus engines than using an average packer and out-evades the best evaluated packer (Themida) for over 40% of the binary samples.

References

[1]

Fast Small Good (FSG). http://www.woodmann. com/collaborative/tools/index.php/FSG, 2009.

[2]

PEiD. http://www.peid.info, 2009.

[3]

Bitsum Technologies. PECompact. http://www. bitsum.com/pecompact.php, 2009.

[4]

Danilo Bzdok. Yoda's Crypter. http://yodap. sourceforge.net, 2009.

[5]

Dwing. UPack. http://dwing.cjb.net, 2009.

[6]

Hispasec Sistemas. Virus total. http:// virustotal.com, 2004.

[7]

Immunity, Inc. CANVAS. http://www. immunitysec.com/products-canvas.shtml, 2009.

[8]

Min Gyung Kang, Pongsin Poosankam, and Heng Yin. Renovo: a hidden code extractor for packed executables. In WORM '07: Proceedings of the 2007 ACM workshop on Recurring malcode, 2007.

Digital Library

[9]

Markus Oberhumer. UPX. http://upx. sourceforge.net/, 2009.

[10]

L. Martignoni, M. Christodorescu, and S. Jha. Omniunpack: Fast, generic, and safe unpacking of malware. In Proceedings of the Annual Computer Security Applications Conference (ACSAC), 2007.

[11]

Matt "skape" Miller. Using dual-mappings to evade automated unpackers. In Uninformed Journal Vol 10, 2008.

[12]

Arbor Networks. Arbor malware library (AML). http://www.arbornetworks.com, 2007.

[13]

North Star Software. NsPack. http://www. nsdsn.com/eng/index.htm, 2009.

[14]

Nullsoft, Inc. NSIS. http://nsis.sourceforge. net, 2009.

[15]

Jon Oberheide, Evan Cooke, and Farnam Jahanian. Rethinking antivirus: Executable analysis in the network cloud. In 2nd USENIX Workshop on Hot Topics in Security (HotSec 2007), August 2007.

Digital Library

[16]

Jon Oberheide, Evan Cooke, and Farnam Jahanian. CloudAV: N-Version Antivirus in the Network Cloud. In Proceedings of the 17th USENIX Security Symposium, July 2008.

Digital Library

[17]

Oreans Technology. Themida. http://www. oreans.com/, 2009.

[18]

Piotr Bania. Generic Unpacking of Self-modifying, Aggressive, Packed Binary Programs. http://piotrbania.com/all/articles/ pbania-dbi-unpacking2009.pdf, 2009.

[19]

D. Quist and Valsmith. Covert Debugging: Circumventing Software Armoring. In Proc. of Black Hat USA, 2007.

[20]

Paul Royal, Mitch Halpin, David Dagon, Robert Edmonds, and Wenke Lee. PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware. In The 22th Annual Computer Security Applications Conference (ACSAC 2006), Miami Beach, FL, December 2006.

Digital Library

[21]

Monirul Sharif, Andrea Lanzi, Jonathon Giffin, and Wenke Lee. Automatic Reverse Engineering of Malware Emulators. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland '09), 2009.

Digital Library

[22]

StarForce. ASpack. http://www.aspack.com/, 2009.

[23]

tHE EGOiSTE/TMG. tElock. http:// programmerstools.org/node/164, 2009.

[24]

Toni Koivunen / Teamfurry.com. SigBuster. http: //www.teamfurry.com, 2009.

Cited By

Pavithran JPatnaik MRebeiro CGantman AMaurice C(2019)D-TIMEProceedings of the 13th USENIX Conference on Offensive Technologies10.5555/3359043.3359053(10-10)Online publication date: 12-Aug-2019
https://dl.acm.org/doi/10.5555/3359043.3359053
Cheng BMing JFu JPeng GChen TZhang XMarion JLie DMannan MBackes MWang X(2018)Towards Paving the Way for Large-Scale Windows Malware AnalysisProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security10.1145/3243734.3243771(395-411)Online publication date: 15-Oct-2018
https://dl.acm.org/doi/10.1145/3243734.3243771
Cimpoeşu MGavriluţ DPopescu A(2018)The proactivity of Perceptron derived algorithms in malware detectionJournal in Computer Virology10.1007/s11416-012-0164-18:4(133-140)Online publication date: 11-Dec-2018
https://dl.acm.org/doi/10.1007/s11416-012-0164-1
Show More Cited By

Recommendations

WormTerminator: an effective containment of unknown and polymorphic fast spreading worms
ANCS '06: Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems

The fast spreading worm is becoming one of the most serious threats to today's networked information systems. A fast spreading worm could infect hundreds of thousands of hosts within a few minutes. In order to stop a fast spreading worm, we need the ...
A Survey on Intrusion Detection and Prevention Systems
Abstract
In the digital world, malicious activities that violate the confidentiality, integrity, or availability of data and devices are known as intrusions. An intrusion detection system (IDS) analyses the activities of a single system or a network to ...
Detecting, validating and characterizing computer infections in the wild
IMC '11: Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference

Although network intrusion detection systems (IDSs) have been studied for several years, their operators are still overwhelmed by a large number of false-positive alerts. In this work we study the following problem: from a large archive of intrusion ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

WOOT'09: Proceedings of the 3rd USENIX conference on Offensive technologies

August 2009

9 pages

Publisher

USENIX Association

United States

Publication History

Published: 10 August 2009

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 23 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Pavithran JPatnaik MRebeiro CGantman AMaurice C(2019)D-TIMEProceedings of the 13th USENIX Conference on Offensive Technologies10.5555/3359043.3359053(10-10)Online publication date: 12-Aug-2019
https://dl.acm.org/doi/10.5555/3359043.3359053
Cheng BMing JFu JPeng GChen TZhang XMarion JLie DMannan MBackes MWang X(2018)Towards Paving the Way for Large-Scale Windows Malware AnalysisProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security10.1145/3243734.3243771(395-411)Online publication date: 15-Oct-2018
https://dl.acm.org/doi/10.1145/3243734.3243771
Cimpoeşu MGavriluţ DPopescu A(2018)The proactivity of Perceptron derived algorithms in malware detectionJournal in Computer Virology10.1007/s11416-012-0164-18:4(133-140)Online publication date: 11-Dec-2018
https://dl.acm.org/doi/10.1007/s11416-012-0164-1
Chen JJiang JDuan HWeaver NWan TPaxson VWeippl EKatzenbeisser SKruegel CMyers AHalevi S(2016)Host of TroublesProceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security10.1145/2976749.2978394(1516-1527)Online publication date: 24-Oct-2016
https://dl.acm.org/doi/10.1145/2976749.2978394
Jin QDuan JVasudevan SBailey MNicol D(2015)Packer classifier based on PE header informationProceedings of the 2015 Symposium and Bootcamp on the Science of Security10.1145/2746194.2746213(1-2)Online publication date: 21-Apr-2015
https://dl.acm.org/doi/10.1145/2746194.2746213
Huang HChen KRen CLiu PZhu SWu DBao FMiller SZhou JAhn G(2015)Towards Discovering and Understanding Unexpected Hazards in Tailoring Antivirus Software for AndroidProceedings of the 10th ACM Symposium on Information, Computer and Communications Security10.1145/2714576.2714589(7-18)Online publication date: 14-Apr-2015
https://dl.acm.org/doi/10.1145/2714576.2714589
Min BVaradharajan VWainwright RCorchado JBechini AHong J(2015)Design, implementation and evaluation of a novel anti-virus parasitic malwareProceedings of the 30th Annual ACM Symposium on Applied Computing10.1145/2695664.2695683(2127-2133)Online publication date: 13-Apr-2015
https://dl.acm.org/doi/10.1145/2695664.2695683
Papadogiannakis ALoutsis LPapaefstathiou VIoannidis SSadeghi AGligor VYung M(2013)ASISTProceedings of the 2013 ACM SIGSAC conference on Computer & communications security10.1145/2508859.2516670(981-992)Online publication date: 4-Nov-2013
https://dl.acm.org/doi/10.1145/2508859.2516670
Caballero JGrier CKreibich CPaxson VWagner D(2011)Measuring pay-per-installProceedings of the 20th USENIX conference on Security10.5555/2028067.2028080(13-13)Online publication date: 8-Aug-2011
https://dl.acm.org/doi/10.5555/2028067.2028080

View Options

View options

Media

Figures

Other

Tables

View Table of Contents