SoK: Deep Packer Inspection: A Longitudinal Study of the Complexity of Run-Time Packers

Run-time packers are often used by malware-writers to obfuscate their code and hinder static analysis. The packer problem has been widely studied, and several solutions have been proposed in order to generically unpack protected binaries. Nevertheless, these solutions commonly rely on a number of assumptions that may not necessarily reflect the reality of the packers used in the wild. Moreover, previous solutions fail to provide useful information about the structure of the packer or its complexity. In this paper, we describe a framework for packer analysis and we propose a taxonomy to measure the runtime complexity of packers. We evaluated our dynamic analysis system on two datasets, composed of both off-the-shelf packers and custom packed binaries. Based on the results of our experiments, we present several statistics about the packers complexity and their evolution over time.

[1]  Engin Kirda,et al.  A View on Current Malware Behaviors , 2009, LEET.

[2]  Vinod Yegneswaran,et al.  Eureka: A Framework for Enabling Static Malware Analysis , 2008, ESORICS.

[3]  Wenke Lee,et al.  PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[4]  Igor Santos,et al.  On the adoption of anomaly detection for packed executable filtering , 2014, Comput. Secur..

[5]  Kevin Coogan,et al.  Automatic Static Unpacking of Malware Binaries , 2009, 2009 16th Working Conference on Reverse Engineering.

[6]  Mu Zhang,et al.  V2E: combining hardware virtualization and softwareemulation for transparent and extensible malware analysis , 2012, VEE '12.

[7]  Wenke Lee,et al.  McBoost: Boosting Scalability in Malware Collection and Analysis Using Statistical Classification of Executables , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[8]  Rolf Rolles,et al.  Unpacking Virtualization Obfuscators , 2009, WOOT.

[9]  Leyla Bilge,et al.  Thwarting real-time dynamic unpacking , 2011, EUROSEC '11.

[10]  Tzi-cker Chiueh,et al.  A Study of the Packer Problem and Its Solutions , 2008, RAID.

[11]  Barton P. Miller,et al.  Binary-code obfuscations in prevalent packer tools , 2013, CSUR.

[12]  Heng Yin,et al.  Renovo: a hidden code extractor for packed executables , 2007, WORM '07.

[13]  Lorie M. Liebrock,et al.  Visualizing compiled executables for malware analysis , 2009, 2009 6th International Workshop on Visualization for Cyber Security.

[14]  Yang Xiang,et al.  Classification of malware using structured control flow , 2010 .

[15]  Zhenkai Liang,et al.  BitBlaze: A New Approach to Computer Security via Binary Analysis , 2008, ICISS.

[16]  Somesh Jha,et al.  OmniUnpack: Fast, Generic, and Safe Unpacking of Malware , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[17]  Saumya K. Debray,et al.  Reverse Engineering Self-Modifying Code: Unpacker Extraction , 2010, 2010 17th Working Conference on Reverse Engineering.

[18]  Muhammad Zubair Shafiq,et al.  PE-Miner: Mining Structural Information to Detect Malicious Executables in Realtime , 2009, RAID.

[19]  A. Mesbahi,et al.  One packer to rule them all Empirical identification , comparison and circumvention of current Antivirus detection techniques , 2014 .

[20]  Xiangyu Zhang,et al.  SPIDER: stealthy binary program instrumentation and debugging via hardware virtualization , 2013, ACSAC.

[21]  Stephen McCamant,et al.  Binary Code Extraction and Interface Identification for Security Applications , 2009, NDSS.

[22]  Jean-Yves Marion,et al.  Server-side dynamic code analysis , 2009, 2009 4th International Conference on Malicious and Unwanted Software (MALWARE).

[23]  Kevin Coogan,et al.  Deobfuscation of virtualization-obfuscated software: a semantics-based approach , 2011, CCS '11.

[24]  Wenke Lee,et al.  Ether: malware analysis via hardware virtualization extensions , 2008, CCS.