Cited By
View all- Noureddine LHeuser APuodzius CZendra OJoshi ACarminati BVerma R(2021)SE-PACProceedings of the Eleventh ACM Conference on Data and Application Security and Privacy10.1145/3422337.3447848(281-292)Online publication date: 26-Apr-2021
A control flow graph-based signature for packer identification
Pages 683 - 688
Abstract
The large number of malicious files that are produced daily outpaces the current capacity of malware analysis and detection. For example, Intel Security Labs reported that during the second quarter of 2016, their system found more than 40M of new malware [1]. The damage of malware attacks is also increasingly devastating, as witnessed by the recent Cryptowall malware that has reportedly generated more than $325M in ransom payments to its perpetrators [2]. In terms of defense, it has been widely accepted that the traditional approach based on byte-string signatures is increasingly ineffective, especially for new malware samples and sophisticated variants of existing ones. New techniques are therefore needed for effective defense against malware. Motivated by this problem, the paper investigates a new defense technique against malware. The technique presented in this paper is utilized for automatic identification of malware packers that are used to obfuscate malware programs. Signatures of malware packers and obfuscators are extracted from the CFGs of malware samples. Unlike conventional byte signatures that can be evaded by simply modifying one or multiple bytes in malware samples, these signatures are more difficult to evade. For example, CFG-based signatures are shown to be resilient against instruction modifications and shuffling, as a single signature is sufficient for detecting mildly different versions of the same malware. Last but not least, the process for extracting CFG-based signatures is also made automatic.
References
[1]
M. Labs, “Mcafee labs threats report for september 2016.” https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-sep-2016.pdf. Accessed: April. 23th, 2017.
[2]
C. T. Alliance, “Cryptowall version 3 sequel: An analysis to one of the most lucrative ransomeware cryptowall version 4 threat.” https://www.cyberthreatalliance.org/pdf/cryptowall-report.pdf. Accessed: April. 23th, 2017.
[3]
R. Lyda and J. Hamrock, “Using entropy analysis to find encrypted and packed malware,” Security and Privacy, IEEE, vol. 5, no. 2, pp. 40–45, 2007.
[4]
E. O. Osaghae, “Classifying packed programs as malicious software detected,” analysis, vol. 20, no. 10, p. 19, 2016.
[5]
A. Stepan, “Improving proactive detection of packed malware,” Virus Bulletin, pp. 11–13, March 2006.
[6]
M. Saleh, E. P. Ratazzi, and S. Xu, “Instructions-based detection of sophisticated obfuscation and packing,” in 2014 IEEE Military Communications Conference, pp. 1–6, Oct 2014.
[7]
G. Jeong, E. Choo, J. Lee, M. Bat-Erdene, and H. Lee, “Generic unpacking using entropy analysis,” in 2010 5th International Conference on Malicious and Unwanted Software, pp. 98–105, Oct 2010.
[8]
VirusTotal.com, “ahui. exe.” http://goo.gl/QYKW22. Accessed: Aug. 29, 2016.
[9]
VirusTotal.com, “dfrgntfs. exe.” http://goo.gl/XCqUcF. Accessed: Aug. 29. 2016.
[10]
X. Ugarte-Pedrero, I. Santos, B. Sanz, C. Laorden, and P. Bringas, “Countering entropy measure attacks on packed software detection,” in Consumer Communications and Networking Conference (CCNC), 2012 IEEE, pp. 164–168, 2012.
[11]
aldeid.com, “PEiD.” http://www.aldeid.com/wiki/PEiD. Accessed: Feb. 8th, 2014.
[12]
D. Devi and S. Nandi, “Pe file features in detection of packed executables,” International Journal of Computer Theory and Engineering, vol. 4, no. 3, p. 476, 2012.
[13]
M. Shafiq, S. Tabish, and M. Farooq, “PE-probe: leveraging packer detection and structural information to detect malicious portable executables,” in Proceedings of the Virus Bulletin Conference (VB), pp. 29–33, 2009.
[14]
R. Perdisci, A. Lanzi, and W. Lee, “Classification of packed executables for accurate computer virus detection,” Pattern Recogn. Lett., vol. 29, pp. 1941–1946, Oct. 2008.
[15]
S. Treadwell and M. Zhou, “A heuristic approach for detection of obfuscated malware,” in Intelligence and Security Informatics, 2009. ISI ‘09. IEEE International Conference on, pp. 291–299, June 2009.
[16]
I. Santos, X. Ugarte-Pedrero, B. Sanz, C. Laorden, and P. G. Bringas, “Collective classification for packed executable identification,” in Proceedings of the 8th Annual Collaboration, Electronic Messaging, Anti-Abuse and Spam Conference, CEAS ‘11, (New York, NY, USA), pp. 23–30, ACM, 2011.
[17]
R. N. Horspool and N. Marovac, “An approach to the problem of detranslation of computer programs,” The Computer Journal, vol. 23, no. 3, pp. 223–229, 1980.
Recommendations
Packer identification based on metadata signature
SSPREW-7: Proceedings of the 7th Software Security, Protection, and Reverse Engineering / Software Security and Protection WorkshopMalware applies lots of obfuscation techniques, which are often automatically generated by the use of packers. This paper presents a packer identification of packed code based on metadata signature, which is a frequency vector of occurrences of ...
Graph based signature classes for detecting polymorphic worms via content analysis
Malicious softwares such as trojans, viruses, or worms can cause serious damage for information systems by exploiting operating system and application software vulnerabilities. Worms constitute a significant proportion of overall malicious software and ...
Packer classifier based on PE header information
HotSoS '15: Proceedings of the 2015 Symposium and Bootcamp on the Science of SecurityRun-time binary packers are used in malware manufacturing to obfuscate the contents of the executable files. Such packing has proved an obstacle for antivirus software that relies on signatures, as the binary contents of packed malware often bears no ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
Oct 2017
906 pages
Copyright © 2017.
Publisher
IEEE Press
Publication History
Published: 23 October 2017
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 27 Nov 2024
Other Metrics
Citations
Cited By
View all- Noureddine LHeuser APuodzius CZendra OJoshi ACarminati BVerma R(2021)SE-PACProceedings of the Eleventh ACM Conference on Data and Application Security and Privacy10.1145/3422337.3447848(281-292)Online publication date: 26-Apr-2021
View Options
View options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in