skip to main content
10.5555/1855876.1855885guideproceedingsArticle/Chapter ViewAbstractPublication PagesConference Proceedingsacm-pubtype
Article

PolyPack: an automated online packing service for optimal antivirus evasion

Published: 10 August 2009 Publication History

Abstract

Packers have long been a valuable tool in the toolbox of offensive users for evading the detection capabilities of signature-based antivirus engines. However, selecting the packer that results in the most effective evasion of antivirus engines may not be a trivial task due to diversity in the capabilities of both antivirus and packers. In this paper, we propose the creation of an online automated service, called PolyPack, that uses an array of packers and antivirus engines as a feedback mechanism to select the packer that will result in the optimal evasion of the antivirus engines. Towards understanding the utility and efficacy of such a service, we construct an implementation of PolyPack which employs 10 packers and 10 popular antivirus engines. We show that PolyPack provides 258% more effective evasion of antivirus engines than using an average packer and out-evades the best evaluated packer (Themida) for over 40% of the binary samples.

References

[1]
Fast Small Good (FSG). http://www.woodmann. com/collaborative/tools/index.php/FSG, 2009.
[2]
PEiD. http://www.peid.info, 2009.
[3]
Bitsum Technologies. PECompact. http://www. bitsum.com/pecompact.php, 2009.
[4]
Danilo Bzdok. Yoda's Crypter. http://yodap. sourceforge.net, 2009.
[5]
Dwing. UPack. http://dwing.cjb.net, 2009.
[6]
Hispasec Sistemas. Virus total. http:// virustotal.com, 2004.
[7]
Immunity, Inc. CANVAS. http://www. immunitysec.com/products-canvas.shtml, 2009.
[8]
Min Gyung Kang, Pongsin Poosankam, and Heng Yin. Renovo: a hidden code extractor for packed executables. In WORM '07: Proceedings of the 2007 ACM workshop on Recurring malcode, 2007.
[9]
Markus Oberhumer. UPX. http://upx. sourceforge.net/, 2009.
[10]
L. Martignoni, M. Christodorescu, and S. Jha. Omniunpack: Fast, generic, and safe unpacking of malware. In Proceedings of the Annual Computer Security Applications Conference (ACSAC), 2007.
[11]
Matt "skape" Miller. Using dual-mappings to evade automated unpackers. In Uninformed Journal Vol 10, 2008.
[12]
Arbor Networks. Arbor malware library (AML). http://www.arbornetworks.com, 2007.
[13]
North Star Software. NsPack. http://www. nsdsn.com/eng/index.htm, 2009.
[14]
Nullsoft, Inc. NSIS. http://nsis.sourceforge. net, 2009.
[15]
Jon Oberheide, Evan Cooke, and Farnam Jahanian. Rethinking antivirus: Executable analysis in the network cloud. In 2nd USENIX Workshop on Hot Topics in Security (HotSec 2007), August 2007.
[16]
Jon Oberheide, Evan Cooke, and Farnam Jahanian. CloudAV: N-Version Antivirus in the Network Cloud. In Proceedings of the 17th USENIX Security Symposium, July 2008.
[17]
Oreans Technology. Themida. http://www. oreans.com/, 2009.
[18]
Piotr Bania. Generic Unpacking of Self-modifying, Aggressive, Packed Binary Programs. http://piotrbania.com/all/articles/ pbania-dbi-unpacking2009.pdf, 2009.
[19]
D. Quist and Valsmith. Covert Debugging: Circumventing Software Armoring. In Proc. of Black Hat USA, 2007.
[20]
Paul Royal, Mitch Halpin, David Dagon, Robert Edmonds, and Wenke Lee. PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware. In The 22th Annual Computer Security Applications Conference (ACSAC 2006), Miami Beach, FL, December 2006.
[21]
Monirul Sharif, Andrea Lanzi, Jonathon Giffin, and Wenke Lee. Automatic Reverse Engineering of Malware Emulators. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland '09), 2009.
[22]
StarForce. ASpack. http://www.aspack.com/, 2009.
[23]
tHE EGOiSTE/TMG. tElock. http:// programmerstools.org/node/164, 2009.
[24]
Toni Koivunen / Teamfurry.com. SigBuster. http: //www.teamfurry.com, 2009.

Cited By

View all
  • (2019)D-TIMEProceedings of the 13th USENIX Conference on Offensive Technologies10.5555/3359043.3359053(10-10)Online publication date: 12-Aug-2019
  • (2018)Towards Paving the Way for Large-Scale Windows Malware AnalysisProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security10.1145/3243734.3243771(395-411)Online publication date: 15-Oct-2018
  • (2018)The proactivity of Perceptron derived algorithms in malware detectionJournal in Computer Virology10.1007/s11416-012-0164-18:4(133-140)Online publication date: 11-Dec-2018
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings
WOOT'09: Proceedings of the 3rd USENIX conference on Offensive technologies
August 2009
9 pages

Publisher

USENIX Association

United States

Publication History

Published: 10 August 2009

Qualifiers

  • Article

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)0
  • Downloads (Last 6 weeks)0
Reflects downloads up to 23 Sep 2024

Other Metrics

Citations

Cited By

View all
  • (2019)D-TIMEProceedings of the 13th USENIX Conference on Offensive Technologies10.5555/3359043.3359053(10-10)Online publication date: 12-Aug-2019
  • (2018)Towards Paving the Way for Large-Scale Windows Malware AnalysisProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security10.1145/3243734.3243771(395-411)Online publication date: 15-Oct-2018
  • (2018)The proactivity of Perceptron derived algorithms in malware detectionJournal in Computer Virology10.1007/s11416-012-0164-18:4(133-140)Online publication date: 11-Dec-2018
  • (2016)Host of TroublesProceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security10.1145/2976749.2978394(1516-1527)Online publication date: 24-Oct-2016
  • (2015)Packer classifier based on PE header informationProceedings of the 2015 Symposium and Bootcamp on the Science of Security10.1145/2746194.2746213(1-2)Online publication date: 21-Apr-2015
  • (2015)Towards Discovering and Understanding Unexpected Hazards in Tailoring Antivirus Software for AndroidProceedings of the 10th ACM Symposium on Information, Computer and Communications Security10.1145/2714576.2714589(7-18)Online publication date: 14-Apr-2015
  • (2015)Design, implementation and evaluation of a novel anti-virus parasitic malwareProceedings of the 30th Annual ACM Symposium on Applied Computing10.1145/2695664.2695683(2127-2133)Online publication date: 13-Apr-2015
  • (2013)ASISTProceedings of the 2013 ACM SIGSAC conference on Computer & communications security10.1145/2508859.2516670(981-992)Online publication date: 4-Nov-2013
  • (2011)Measuring pay-per-installProceedings of the 20th USENIX conference on Security10.5555/2028067.2028080(13-13)Online publication date: 8-Aug-2011

View Options

View options

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media