Generic unpacking techniques

Traditional signature-based malware detection techniques rely on byte sequences, called signatures, in executable for signature-matching. Modern malware authors can bypass signature-based scanning by employing the recently emerged technology of code obfuscation for information hiding. Obfuscation alters the byte sequence of the code without effectively changing the execution behavior. A commonly used obfuscation technique is packing. Packing compresses and/or encrypts the program code. Actual code stays hidden till runtime (when the executable is unpacked) making it immune to static analysis. Since every packer has its associated unpacker to undo packing, a successful generic unpacker is difficult to come by. A few automated unpacking techniques have been published so far that attempt to unpack packed binaries without any specific knowledge of the packing technique used. In this paper, we aim to provide a comprehensive summary of the currently published prevalent generic unpacking techniques and weigh their effectiveness at dealing with the spreading nuisance of packed malware. Dynamic analysis is a promising solution to the packing problem as every packed binary has to inevitably unpack itself for execution. Emulation (running code in a virtual environment) is an effective and powerful technique for generic unpacking. We will be reviewing various unpacking techniques based on emulation and a few other hybrid and alternative approaches.

[1]  Stefan Katzenbeisser,et al.  Software transformations to improve malware detection , 2007, Journal in Computer Virology.

[2]  Wenke Lee,et al.  PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[3]  MIROSLAV VNUK,et al.  Decompression of run-time compressed PE-files , 2006 .

[4]  S. Katzenbeisser,et al.  Malware Normalization , 2005 .

[5]  Moshe Kam,et al.  A Survey of Reverse Engineering Tools for the 32-Bit Microsoft Windows Environment , 2005 .

[6]  Heng Yin,et al.  Renovo: a hidden code extractor for packed executables , 2007, WORM '07.

[7]  Christopher Krügel,et al.  Dynamic Analysis of Malicious Code , 2006, Journal in Computer Virology.

[8]  Jau-Hwang Wang,et al.  Intelligent automatic malicious code signatures extraction , 2003, IEEE 37th Annual 2003 International Carnahan Conference onSecurity Technology, 2003. Proceedings..

[9]  Somesh Jha,et al.  OmniUnpack: Fast, Generic, and Safe Unpacking of Malware , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).