Lei Xue,Hao Zhou,Xiapu Luo,Yajin Zhou,Yang Shi,Guofei Gu,Fengwei Zhang,Man Ho Au

DOI: https://doi.org/10.1109/SP40001.2021.00105

2021-01-01

Abstract:Malware authors are abusing packers (or runtime-based obfuscators) to protect malicious apps from being analyzed. Although many unpacking tools have been proposed, they can be easily impeded by the anti-analysis methods adopted by the packers, and they fail to effectively collect the hidden Dex data due to the evolving protection strategies of packers. Consequently, many packing behaviors are unknown to analysts and packed malware can circumvent the inspection. To fill the gap, in this paper, we propose a novel hardware-assisted approach that first monitors the packing behaviors and then selects the proper approach to unpack the packed apps. Moreover, we develop a prototype named Happerwith a domain-specific language named behavior description language (BDL) for the ease of extending Happerafter tackling several technical challenges. We conduct extensive experiments with 12 commercial Android packers and more than 24k Android apps to evaluate Happer. The results show that Happerobserved 27 packing behaviors, 17 of which have not been elaborated by previous studies. Based on the observed packing behaviors, Happeradopted proper approaches to collect all the hidden Dex data and assembled them to valid Dex files.

Lei Xue,Hao Zhou,Xiapu Luo,Le Yu,Dinghao Wu,Yajin Zhou,Xiaobo Ma

DOI: https://doi.org/10.1109/TSE.2020.2996433

2022-01-01

Abstract:App developers are increasingly using packing services (or packers) to protect their code against being reverse engineered or modified. However, such packing techniques are also leveraged by the malicious developers to prevent the malware from being analyzed and detected by the static malware analysis and detection systems. Though there are already studies on unpacking packed Android apps, they usually leverage the manual reverse engineered packing behaviors to unpack apps packed by the specific packers and cannot be appified to the evolved and new packers. In this paper, we propose a novel unpacking approach with the capacity of adaptively unpacking the evolved and newly encountered packers. Also, we develop a new system, named PackerGrind, based on this adaptive approach for unpacking Android packers. The evaluation with real packed apps demonstrates that PackerGrind can successfully reveal packers protection mechanisms, effectively handle their evolution and recover Dex files with low overhead.

Lei Xue,Yuxiao Yan,Luyi Yan,Muhui Jiang,Xiapu Luo,Dinghao Wu,Yajin Zhou

DOI: https://doi.org/10.1145/3460319.3464839

2021-01-01

Abstract:Android packers have been widely adopted by developers to protect apps from being plagiarized. Meanwhile, various unpacking tools unpack the apps through direct memory dumping. To defend against these off-the-shelf unpacking tools, packers start to adopt virtual machine (VM) based protection techniques, which replace the original Dalvik bytecode (DCode) with customized bytecode (PCode) in memory. This defeats the unpackers using memory dumping mechanisms. However, little is known about whether such packers can provide enough protection to Android apps. In this paper, we aim to shed light on these questions and take the first step towards demystifying the protections provided to the apps by the VM-based packers. We proposed novel program analysis techniques to investigate existing commercial VM-based packers including a learning phase and a deobfuscation phase.We aim at deobfuscating the VM-protection DCode in three scenarios, recovering original DCode or its semantics with training apps, and restoring the semantics without training apps. We also develop a prototype named Parema to automate much work of the deobfuscation procedure. By applying it to the online VM-based Android packers, we reveal that all evaluated packers do not provide adequate protection and could be compromised.

Weihao Huang,Chaoyang Lin,Qiucun Yan,Lu Xiang,Zhiyu Zhang,Guozhu Meng,Kai Chen

DOI: https://doi.org/10.1109/cscwd57460.2023.10151998

2023-01-01

Abstract:In recent years, binary malware detection has attracted extensive attention from industry and academia. However, most of the existing work focuses on determining whether a sample is malicious or not, rather than identifying the malicious essence in malware. Few studies aim at locating malicious code at function granularity and suffer from inaccuracy. In this paper, we solve the problem by dividing malware into Functional Module (FM), which is a better granularity for locating malicious code, as it combines certain functions to express malicious behaviors in malware. We design a tool called FMDiv to automatically unpack and disassemble binary malware and then divide them into FMs based on the function call graph (CG). Meanwhile, one novel feature extraction and embedding method has been adopted to validate the effect of the FM division algorithm and provide one alternative method of characterization for subsequent malicious FM location. We evaluate FMDiv’s performance on 10,440 real-world samples from VIRUSSHARE. The results show that FMDiv can correctly characterize and make FM division of malware, outperforming current state-of-the-art work.

Fang Wangsheng,Shao Liping,Zhang Kejun

DOI: https://doi.org/10.3969/j.issn.1008-0570.2006.33.028

2006-01-01

Abstract:According to the structure characters of portable executable file format, the methods taking advantages of redundant spaces, redundant structures and static spaces allocated to strings to embed information into PE file are introduced in this paper. To prevent the embedded data from being understood and modified, a method is provided there, which make use of translating data in other forms to disguise information. To recover the original information, a method being availed of secret sharing schemas is also given. When some embedded informations are damaged, others can be used to recover the original embedded information to keep the em- bedded data completely.

David Korczynski

DOI: https://doi.org/10.48550/arXiv.1908.09204

2019-08-24

Cryptography and Security

Abstract:Run time packing is a common approach malware use to obfuscate their payloads, and automatic unpacking is, therefore, highly relevant. The problem has received much attention, and so far, solutions based on dynamic analysis have been the most successful. Nevertheless, existing solutions lack in several areas, both conceptually and architecturally, because they focus on a limited part of the unpacking problem. These limitations significantly impact their applicability, and current unpackers have, therefore, experienced limited adoption. In this paper, we introduce a new tool, called Minerva, for effective automatic unpacking of malware samples. Minerva introduces a unified approach to precisely uncover execution waves in a packed malware sample and produce PE files that are well-suited for follow-up static analysis. At the core, Minerva deploys a novel information flow model of system-wide dynamically generated code, precise collection of API calls and a new approach for merging execution waves and API calls. Together, these novelties amplify the generality and precision of automatic unpacking and make the output of Minerva highly usable. We extensively evaluate Minerva against synthetic and real-world malware samples and show that our techniques significantly improve on several aspects compared to previous work.

Shanqing Guo,Shuangshuang Li,Yan Yu,Anlei Hu,Tao Ban

DOI: https://doi.org/10.1007/978-3-642-34129-8_49

2012-01-01

Abstract:Executable packing is the most common technique to evade detection by anti-virus software.Many signature-based unpackers have been presented to uncover hidden viruses,which make the signature-based anti-virus software successfully detect the packed malicious code. However,these universal unpackers are computationally expensive and scanning large collections of executables may take several hours or even days.In order to improve the computational efficiency, Machine learning techniques have recently been proven effective in solving the focused issues,but up to now,no methods can show what packing method has been used in it.In this paper we proposed a fine-grained detection method to detect whether a malicious code has been packed and which method is been used to.This method firstly extract a hex-string from the target object file and then apply a String-Kernel-Based SVM Classifier to implement the fast detection of packed malicious code.We also show that our system achieves very high detection accuracy of packed executables, so that only executables detected as packed will be sent to an universal unpacker, thus saving a significant amount of processing time.

Nguyen Minh Hai,Quan Thanh Tho

DOI: https://doi.org/10.1007/978-3-319-69456-6_8

2017-01-01

Abstract:Most of modern malware are packed by packers to evade the anti-virus software. Basically, packers will apply various obfuscating techniques to hide their true behaviors from static analysis methods. Thus, how to deal with packed malware has always been a tough problem so far. This paper proposes a novel approach for packer detection using a combination of BE-PUM tool and Hidden Markov Model. First, BE-PUM tool is applied to detect the sequence of possible obfuscation techniques embedded in the analyzed binary program. Then, Hidden Markov Model is used to effectively identify the possibility of packer existence from the generated sequences. As Hidden Markov is very effective for pattern recognition, our proposed technique can accurately identify the packers deployed in binaries files. We have performed experiments on more than 2000 real-world malwares taken from VirusShare. The result is very promising.

Seokwoo Choi,Taejoo Chang,Yongsu Park

DOI: https://doi.org/10.3390/s24030840

IF: 3.9

2024-01-28

Sensors

Abstract:Despite recent remarkable advances in binary code analysis, malware developers still use complex anti-reversing techniques that make analysis difficult. Packers are used to protect malware, which are (commercial) tools that contain diverse anti-reversing techniques, including code encryption, anti-debugging, and code virtualization. In this study, we present UnSafengine64: a Safengine unpacker for 64-bit Windows. UnSafengine64 can correctly unpack packed executables using Safengine, which is considered one of the most complex commercial packers in Windows environments; to the best of our knowledge, there have been no published analysis results. UnSafengine64 was developed as a plug-in for Pin, which is one of the most widely used dynamic analysis tools for Microsoft Windows. In addition, we utilized Detect It Easy (DIE), IDA Pro, x64Dbg, and x64Unpack as auxiliary tools for deep analysis. Using UnSafengine64, we can analyze obfuscated calls for major application programming interface (API) functions or conduct fine-grained analyses at the instruction level. Furthermore, UnSafengine64 detects anti-debugging code chunks, captures a memory dump of the target process, and unpacks packed files. To verify the effectiveness of our scheme, experiments were conducted using Safengine 2.4.0. The experimental results show that UnSafengine64 correctly executes packed executable files and successfully produces an unpacked version. Based on this, we provided detailed analysis results for the obfuscated executable file generated using Safengine 2.4.0.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Mohammed Abuhamad,Eric Chan-Tin,Eldor Abdukhamidov,Qirui Sun,Tamer Abuhmed

DOI: https://doi.org/10.1145/3494108.3522768

2022-05-30

Abstract:Malware is one of the serious computer security threats. To protect computers from infection, accurate detection of malware is essential. At the same time, malware detection faces two main practical challenges: the speed of malware development and their distribution continues to increase with complex methods to evade detection (such as a metamorphic or polymorphic malware). This research utilizes various characterizing features extracted from each malware using static and dynamic analysis to build seven machine learning models to detect and analyze packed windows malware. We use a large-scale dataset of over 107,000 samples covering unpacked and packed malware using ten different packers. We examined the performance of seven machine learning techniques using 50 dynamic and static features. Our results show that packed malware can circumvent detection when a single analysis is performed while applying both static and dynamic methods can help improve the detection accuracy around 2% to 3%.

Computer Science

Xiaokai Ma,Zhemin Yang

DOI: https://doi.org/10.3969/j.issn.1000-386x.2017.11.058

2017-01-01

Abstract:With the development of malware detection and analysis techniques,a large number of malwares use evasion techniques to fight against security analysis.Among these evasion techniques,code-hiding evasion techniques hide application code from static analysis,thus cause analysis results wrong or incomplete.The explosive growth of malware required automated detection of code-hiding evasion techniques.Through manual analysis of 142 malicious samples,this paper summarized an approach for detecting code-hiding evasion techniques and implemented a generic automated detection framework.We use the detection framework to do experiments on 2 278 samples in a third party applications market,and find that 34.9％ samples use code-hiding evasion techniques.

Chenglin Xie,Yujie Guo,Shaosen Shi,Yu Sheng,Xiarun Chen,Chengyang Li,Weiping Wen

DOI: https://doi.org/10.1109/trustcom53373.2021.00099

2021-01-01

Abstract:Sandbox is an excellent tool for dynamic malware analysis. However, the sandbox detection techniques are increasingly adopted to develop malwares, which has been a significant threat to sandbox analysis. These malwares can detect the running environment and show different behaviors in corresponding environments. So far, there have been several studies about countermeasures, but most of them concentrate on Windows OS. Environmental features in Linux sandbox have not been summarized yet. Besides, existing popular sandboxes can hardly combat against sandbox detecting techniques. In this paper, we focus on Linux sandbox. We firstly propose Linux environmental features from six aspects and implement an effective tool to collect features from running environment to tell the discrepancy among physical machine, virtual machine and sandbox. More importantly, we present EnvFaker, an effective method to reinforce Linux sandbox against environmental-sensitive malware. This method uses tracer to track child process and injected process, filters to intercept sandbox detecting behaviors, and emulator to disguise wear-and-tear and network environment. The experimental results further demonstrate that our method is effective against detecting techniques for Linux sandbox.

Qi Wang,Wajih Ul Hassan,Ding Li,Kangkook Jee,Xiao Yu,Kexuan Zou,Junghwan Rhee,Zhengzhang Chen,Wei Cheng,Carl A. Gunter,Haifeng Chen

DOI: https://doi.org/10.14722/ndss.2020.24167

2020-01-01

Abstract:To subvert recent advances in perimeter and host security, the attacker community has developed and employed various attack vectors to make a malware much stealthier than before to penetrate the target system and prolong its presence. Such advanced malware or "stealthy malware" makes use of various techniques to impersonate or abuse benign applications and legitimate system tools to minimize its footprints in the target system. It is thus difficult for traditional detection tools, such as malware scanners, to detect it, as the malware normally does not expose its malicious payload in a file and hides its malicious behaviors among the benign behaviors of the processes. In this paper, we present PROVDETECTOR, a provenancebased approach for detecting stealthy malware. Our insight behind the PROVDETECTOR approach is that although a stealthy malware attempts to blend into benign processes, its malicious behaviors inevitably interact with the underlying operating system (OS), which will be exposed to and captured by provenance monitoring. Based on this intuition, PROVDETECTOR first employs a novel selection algorithm to identify possibly malicious parts in the OS-level provenance data of a process. It then applies a neural embedding and machine learning pipeline to automatically detect any behavior that deviates significantly from normal behaviors. We evaluate our approach on a large provenance dataset from an enterprise network and demonstrate that it achieves very high detection performance of stealthy malware (an average Fl score of 0.974). Further, we conduct thorough interpretability studies to understand the internals of the learned machine learning models.

Gwangyeol Lee,Minho Kim,Jeong Hyun Yi,Haehyun Cho

DOI: https://doi.org/10.3390/electronics13112081

IF: 2.9

2024-05-28

Electronics

Abstract:Original Entry Point (OEP) and API obfuscation techniques greatly hinder the analysis of malware. Contemporary packers, employing these sophisticated obfuscation strategies, continue to pose unresolved challenges, despite extensive research efforts. Recent studies, like API-Xray, have mainly concentrated on rebuilding obfuscated import tables in malware, but research into OEP obfuscation is still limited. As a solution, we present Pinicorn, an automated dynamic de-obfuscation system designed to tackle these complexities. Pinicorn bypasses packers' anti-analysis techniques and retrieves the original program from memory. It is specifically designed to detect and analyze trampoline codes within both OEP and the import table. Our evaluation shows that Pinicorn successfully deobfuscates programs hidden by three different packers, confirming its effectiveness through a comparative analysis with their original versions. Furthermore, we conducted experiments on malware obfuscated by Themida and VMProtect, analyzing the obfuscation techniques and successfully de-obfuscating them to validate the effectiveness of our approach.

engineering, electrical & electronic,physics, applied,computer science, information systems

Haizhou Wang,Nanqing Luo,Peng LIu

2024-11-09

Abstract:Sandboxes and other dynamic analysis processes are prevalent in malware detection systems nowadays to enhance the capability of detecting 0-day malware. Therefore, techniques of anti-dynamic analysis (TADA) are prevalent in modern malware samples, and sandboxes can suffer from false negatives and analysis failures when analyzing the samples with TADAs. In such cases, human reverse engineers will get involved in conducting dynamic analysis manually (i.e., debugging, patching), which in turn also gets obstructed by TADAs. In this work, we propose a Large Language Model (LLM) based workflow that can pinpoint the location of the TADA implementation in the code, to help reverse engineers place breakpoints used in debugging. Our evaluation shows that we successfully identified the locations of 87.80% known TADA implementations adopted from public repositories. In addition, we successfully pinpoint the locations of TADAs in 4 well-known malware samples that are documented in online malware analysis blogs.

Cryptography and Security,Artificial Intelligence

Weizhong Qiang,Lin Yang,Hai Jin

DOI: https://doi.org/10.1016/j.cose.2022.102871

2022-08-10

Abstract:Nowadays, the rapid growth of the number and variety of malware brings great security challenges. Machine learning has become a mainstream tool for effective malware detection, which can mainly be classified into static and dynamic analysis methods. The purpose of malware detection is to have a good and stable detection performance for different software forms. However, many static analysis methods are easily affected by packing and other code obfuscation techniques, and dynamic analysis methods are commonly believed more robust, while the impact of packing on them has received little attention. In addition, adversarial sample attacks against dynamic analysis methods have also been conducted. This indicates the need to investigate more accurate and robust malware classification methods. In this paper, we propose a new robust dynamic analysis method for malware detection by using specific fine-grained behavioral features, i.e., control flow traces. Further, a malware classifier is constructed by converting control flow traces into byte sequences and applying a combination of convolutional neural networks and long short term memory . The proposed classifier can effectively detect malware with an accuracy of up to 95.7%, as well as detect unseen malware with an accuracy of 94.6% (indicating a good performance in handling the evolution of malware). Meanwhile, it is first found experimentally that packing has specific interference with existing behavior-based malware classifiers, resulting in even worse performance than static classifiers in some cases. However, the proposed classifier performs well in terms of robustness, showing stable performance under the interference of an uneven packing distribution in the dataset, with a 26.3% higher true positive rate for unpacked samples compared to the API call-based classifier. In addition, the classifier is also more robust against adversarial samples, with a detection rate of at least 83%.

computer science, information systems

Ryoichi Isawa,Masaki Kamizono,Daisuke Inoue

DOI: https://doi.org/10.1007/978-3-642-42054-2_74

2013-01-01

Abstract:In this paper, we focus on the problem of the unpacking of packed executables in a generic way. That is, we do not assume specific knowledge about the algorithms used to produce the packed executable to do the unpacking (i.e. we do not extract/create a reverse algorithm). In general, when launched, a packed executable will first reconstruct the code of the original program, write it down someplace in memory and then transfer the execution to that original code by assigning the Extended Instruction Pointer (EIP) to the so-called Original Entry Point (OEP) of the program. Accordingly, if we had a way to accurately identify that transfer event in the execution flow and thus the OEP, we could more easily extract the original code for analysis (cf. by inspecting the remaining code after the OEP was reached). We then propose an effective generic unpacking method based on the combination of two novel OEP detection techniques, one relying on the incremental measurement of the entropy of the information stored in the memory space assigned to the unpacking process, and the other on the incremental searching and counting of potential Windows API calls in that same memory space.

Jong-Wouk Kim,Yang-Sae Moon,Mi-Jung Choi

DOI: https://doi.org/10.48550/arXiv.2208.08071

2022-08-17

Abstract:Malware developers use combinations of techniques such as compression, encryption, and obfuscation to bypass anti-virus software. Malware with anti-analysis technologies can bypass AI-based anti-virus software and malware analysis tools. Therefore, classifying pack files is one of the big challenges. Problems arise if the malware classifiers learn packers' features, not those of malware. Training the models with unintended erroneous data turn into poisoning attacks, adversarial attacks, and evasion attacks. Therefore, researchers should consider packing to build appropriate malware classifier models. In this paper, we propose a multi-step framework for classifying and identifying packed samples which consists of pseudo-optimal feature selection, machine learning-based classifiers, and packer identification steps. In the first step, we use the CART algorithm and the permutation importance to preselect important 20 features. In the second step, each model learns 20 preselected features for classifying the packed files with the highest performance. As a result, the XGBoost, which learned the features preselected by XGBoost with the permutation importance, showed the highest performance of any other experiment scenarios with an accuracy of 99.67%, an F1-Score of 99.46%, and an area under the curve (AUC) of 99.98%. In the third step, we propose a new approach that can identify packers only for samples classified as Well-Known Packed.

Cryptography and Security,Artificial Intelligence

Antonio Nappa,Panagiotis Papadopoulos,Matteo Varvello,Daniel Aceituno Gomez,Juan Tapiador,Andrea Lanzi

DOI: https://doi.org/10.48550/arXiv.2109.02979

2021-10-06

Abstract:Online malware scanners are one of the best weapons in the arsenal of cybersecurity companies and researchers. A fundamental part of such systems is the sandbox that provides an instrumented and isolated environment (virtualized or emulated) for any user to upload and run unknown artifacts and identify potentially malicious behaviors. The provided API and the wealth of information inthe reports produced by these services have also helped attackers test the efficacy of numerous techniques to make malware hard to <a class="link-external link-http" href="http://detect.The" rel="external noopener nofollow">this http URL</a> most common technique used by malware for evading the analysis system is to monitor the execution environment, detect the presence of any debugging artifacts, and hide its malicious behavior if needed. This is usually achieved by looking for signals suggesting that the execution environment does not belong to a the native machine, such as specific memory patterns or behavioral traits of certain CPU instructions. In this paper, we show how an attacker can evade detection on such online services by incorporating a Proof-of-Work (PoW) algorithm into a malware sample. Specifically, we leverage the asymptotic behavior of the computational cost of PoW algorithms when they run on some classes of hardware platforms to effectively detect a non bare-metal environment of the malware sandbox analyzer. To prove the validity of this intuition, we design and implement the POW-HOW framework, a tool to automatically implement sandbox detection strategies and embed a test evasion program into an arbitrary malware sample. Our empirical evaluation shows that the proposed evasion technique is durable, hard to fingerprint, and reduces existing malware detection rate by a factor of 10. Moreover, we show how bare-metal environments cannot scale with actual malware submissions rates for consumer services.

Cryptography and Security

Dorel Yaffe,Danny Hendler

DOI: https://doi.org/10.1007/978-3-030-78086-9_29

2021-03-30

Abstract:In recent years malware has become increasingly sophisticated and difficult to detect prior to exploitation. While there are plenty of approaches to malware detection, they all have shortcomings when it comes to identifying malware correctly prior to exploitation. The trade-off is usually between false positives, causing overhead, preventing normal usage and the risk of letting the malware execute and cause damage to the target. We present a novel end-to-end solution for in-memory malicious activity detection done prior to exploitation by leveraging machine learning capabilities based on data from unique run-time logs, which are carefully curated in order to detect malicious activity in the memory of protected processes. This solution achieves reduced overhead and false positives as well as deployment simplicity. We implemented our solution for Windows-based systems, employing multi disciplinary knowledge from malware research, machine learning, and operating system internals. Our experimental evaluation yielded promising results. As we expect future sophisticated malware may try to bypass it, we also discuss how our solution can be extended to thwart such bypassing attempts.

Cryptography and Security,Machine Learning