The study of evasion of packed PE from static detection

Static detection of packed portable executables (PEs) relies primarily on structural properties of the packed PE, and also on anomalies in the packed PE caused by packing tools. This paper outlines weaknesses in this method of detection. We show that these structural properties and anomalies are contingent features of the executable, and can be more or less easily modified to evade static detection.

[1]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[2]  Sangjin Lee,et al.  Packed PE File Detection for Malware Forensics , 2009, 2009 2nd International Conference on Computer Science and its Applications.

[3]  Yang-seo Choi,et al.  PE File Header Analysis-Based Packed PE File Detection Technique (PHAD) , 2008, International Symposium on Computer Science and its Applications.

[4]  Mian Zhou,et al.  A heuristic approach for detection of obfuscated malware , 2009, 2009 IEEE International Conference on Intelligence and Security Informatics.

[5]  Nirwan Ansari,et al.  Revealing Packed Malware , 2008, IEEE Security & Privacy.

[6]  S. Momina Tabish,et al.  PE-Probe: Leveraging Packer Detection and Structural Information to Detect Malicious Portable Executables , 2009 .

[7]  Igor Santos,et al.  Collective classification for packed executable identification , 2011, CEAS '11.

[8]  Robert Lyda,et al.  Using Entropy Analysis to Find Encrypted and Packed Malware , 2007, IEEE Security & Privacy.