PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware

Royal, Paul; Halpin, M.; Dagon, David; Edmonds, Robert L.; Lee, Wenke

doi:10.1109/acsac.2006.38

Cited by 206 publications

(174 citation statements)

References 2 publications

Supporting

Mentioning

169

Contrasting

Order By: Relevance

“…In [4], detection of computer viruses is shown to be undecidable both by apriori and runtime analysis, and it can be shown that distinguishing between packed and non-packed executables is also undecidable [14]. Although these results prove that no algorithm can detect packed executables and computer viruses with absolute precision, detection may still be performed with high accuracy, as we discuss in this paper.…”

Section: Related Workmentioning

confidence: 63%

“…OmniUnpack is supposed to be integrated with the operating system kernel, and monitors every application executed on the machine. Similarly [14,6] present executable unpackers based on dynamic analysis of executables performed in an isolated environment (e.g. a virtual machine or an emulator).…”

Section: Related Workmentioning

confidence: 99%

“…After P has been extracted, its code can be scanned using traditional anti-virus software. It has been shown that scanning the unpacked code using signature-based anti-virus software significantly improves virus detection accuracy [14,9]. However, universal unpackers introduce a high computational overhead, and the processing time may vary from tens of seconds to several minutes per executable.…”

Section: Introductionmentioning

confidence: 99%

“…Therefore, our classification system helps in improving virus detection while saving a significant amount of processing time. In this paper we do not focus on the improvements in virus detection accuracy achieved after unpacking, because this has already been studied in [14,9], for example. Instead, we focus on the accuracy and computational cost related to the classification of packed executables into the two classes packed and non-packed.…”

Section: Introductionmentioning

confidence: 99%

“…Universal unpackers [14,6] are able to detect and extract (part of) P from P ′ without specific knowledge about the encryption algorithm used to generate P ′ . The code of P is dynamically extracted by running P ′ in an isolated environment and monitoring the execution of instructions written in memory at run-time.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

Classification of packed executables for accurate computer virus detection

Perdisci¹,

Lanzi

Lee

2008

Pattern Recognition Letters

Self Cite

124

View full text Add to dashboard Cite

Section: Related Workmentioning

confidence: 63%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Classification of packed executables for accurate computer virus detection

Perdisci¹,

Lanzi

Lee

2008

Pattern Recognition Letters

Self Cite

124

View full text Add to dashboard Cite

A dynamic malware analyzer against virtual machine aware malicious software

Pektaş

Acarman

2013

Security Comm Networks

View full text Add to dashboard Cite

Nowadays, cyber‐world is being enriched by a large variety of digital information technology‐based services. An increasing rate of remote and mobile usage leads to a remarkable dependency on information security. Analysis and detection of malicious software or so‐called malware is a challenging task due to the introduction of advanced obfuscation techniques by malware authors. In this study, we mainly concentrate on anti‐virtual machine evasion techniques to provide secure and reproducible environments for malware analysis and its implementation issues. Malwares are identified on the basis of their behaviors by taking precautions related to the anti‐virtual machine detection techniques. The dynamic malware analyzer tool is deployed to execute anti‐virtual machine‐aware malware samples in VMware environment. Dynamic malware analyzer monitors system resources such as connections, processes, windows registry, and file operations. Success ratio of detection is tested by using public malware sets with an accuracy of 92%. The effectiveness and success of the behavior‐based malware analyzer tool is exploited and current state of the art of malware detection schemes is presented. Copyright © 2013 John Wiley & Sons, Ltd.

show abstract

Field experience with obfuscating million‐user iOS apps in large enterprise mobile development

Wang

Chen³

et al. 2018

Softw Pract Exp

View full text Add to dashboard Cite

Summary In recent years, mobile apps have become the infrastructure of many popular Internet services. It is now common that a mobile app serves millions of users across the globe. By examining the code of these apps, reverse engineers can learn various knowledge about the design and implementation of the apps. Real‐world cases have shown that the disclosed critical information allows malicious parties to abuse or exploit the app‐provided services for unrightful profits, leading to significant financial losses. One of the most viable mitigations against malicious reverse engineering is to obfuscate the apps. Despite that security by obscurity is typically considered to be an unsound protection methodology, software obfuscation can indeed increase the cost of reverse engineering, thus delivering practical merits for protecting mobile apps. In this paper, we share our experience of applying obfuscation to multiple commercial iOS apps, each of which has millions of users. We discuss the necessity of adopting obfuscation for protecting modern mobile business, the challenges of software obfuscation on the iOS platform, and our efforts in overcoming these obstacles. We especially focus on factors that are unique to mobile software development that may affect the design and deployment of obfuscation techniques. We report the outcome of our obfuscation with empirical experiments. We additionally elaborate on the follow‐up case studies about how our obfuscation affected the app publication process and how we responded to the negative impacts. This experience report can benefit mobile developers, security service providers, and Apple as the administrator of the iOS ecosystem.

show abstract

PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware

Cited by 206 publications

References 2 publications

Classification of packed executables for accurate computer virus detection

Classification of packed executables for accurate computer virus detection

A dynamic malware analyzer against virtual machine aware malicious software

Field experience with obfuscating million‐user iOS apps in large enterprise mobile development

Contact Info

Product

Resources

About