Revealing Packed Malware

Yan, Wei; Zhang, Zheng; Ansari, Nirwan

doi:10.1109/msp.2008.126

Cited by 90 publications

(38 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Anti-virus software may be of very little benefit to assist the forensic investigator in the identification of the intent of malware. The detection performance of AV software has been shown by a number of researchers to be far less than ideal (Rutkowska 2006;Yin, Song et al 2007;Yan, Zhang et al 2008;Zhou and Meador Inge 2008). If the malware has not been analysed before, then it is highly unlikely that rules of recognition exist.…”

Section: Analysis Avoidancementioning

confidence: 99%

Malware Forensics: Discovery of the Intent of Deception

Brand¹,

Valli²,

Woodward³

2010

JDFSL

View full text Add to dashboard Cite

Malicious software (malware) has a wide variety of analysis avoidance techniques that it can employ to hinder forensic analysis. Although legitimate software can incorporate the same analysis avoidance techniques to provide a measure of protection against reverse engineering and to protect intellectual property, malware invariably makes much greater use of such techniques to make detailed analysis labour intensive and very time consuming. Analysis avoidance techniques are so heavily used by malware that the detection of the use of analysis avoidance techniques could be a very good indicator of the presence of malicious intent. However, there is a tendency for analysis tools to focus on hiding the presence of the tool itself from being detected by the malware, and not on recording the detection and recording of analysis avoidance techniques. In addition, the coverage of anti-anti-analysis techniques in common tools and plugins is much less than the number of analysis avoidance techniques that exist. The purpose of this paper is to suggest that the discovery of the intent of deception may be a very good indicator of an underlying malicious objective of the software under investigation.

show abstract

Section: Analysis Avoidancementioning

confidence: 99%

Malware Forensics: Discovery of the Intent of Deception

Brand¹,

Valli²,

Woodward³

2010

JDFSL

View full text Add to dashboard Cite

show abstract

“…Unfortunately, connived (indulged) on their previous success attackers develop their malware so that harder to detect [1,2]. Following Yan et al's [3] understanding, we consider packer as "a program that produces a number of data blocks to form a compressed and encrypted version of the original executable". Packing helps to evade from anti-virus (AV) by diminishing the size or transforming the appearance of executable binary [2,[4][5][6][7].…”

Section: Introductionmentioning

confidence: 99%

Packer Detection for Multi-Layer Executables Using Entropy Analysis

Bat-Erdene

Kim

Park

et al. 2017

Entropy

View full text Add to dashboard Cite

Packing algorithms are broadly used to avoid anti-malware systems, and the proportion of packed malware has been growing rapidly. However, just a few studies have been conducted on detection various types of packing algorithms in a systemic way. Following this understanding, we elaborate a method to classify packing algorithms of a given executable into three categories: single-layer packing, re-packing, or multi-layer packing. We convert entropy values of the executable file loaded into memory into symbolic representations, for which we used SAX (Symbolic Aggregate Approximation). Based on experiments of 2196 programs and 19 packing algorithms, we identify that precision (97.7%), accuracy (97.5%), and recall ( 96.8%) of our method are respectively high to confirm that entropy analysis is applicable in identifying packing algorithms.

show abstract

“…To prevent themselves from being analyzed and reverse engineered, more and more malwares (e.g., Agobot, MegaD, Kraken, Conficker) are using cryptographic algorithms (e.g., packing [51], encrypting C&C communication) to protect the malicious code and communication [40]. To prevent the in-memory cryptographic secrets (e.g., key, IV) from being recovered by key searching tools (e.g., rsakeyfind), sophisticated malware can make the cryptographic secrets truly transient in memory by encrypting or destroying the secrets right after using them at run-time.…”

Section: Introductionmentioning

confidence: 99%

CipherXRay: Exposing Cryptographic Operations and Transient Secrets from Monitored Binary Execution

Wang

Chang

2014

IEEE Trans. Dependable and Secure Comput.

View full text Add to dashboard Cite

Abstract-Malwares are becoming increasingly stealthy, more and more malwares are using cryptographic algorithms (e.g., packing, encrypting C&C communication) to protect themselves from being analyzed. The use of cryptographic algorithms and truly transient cryptographic secrets inside the malware binary imposes a key obstacle to effective malware analysis and defense.To enable more effective malware analysis, forensics and reverse engineering, we have developed CipherXRay -a novel binary analysis framework that can automatically identify and recover the cryptographic operations and transient secrets from the execution of potentially obfuscated binary executables. Based on the avalanche effect of cryptographic functions, CipherXRay is able to accurately pinpoint the boundary of cryptographic operation and recover truly transient cryptographic secrets that only exist in memory for one instant in between multiple nested cryptographic operations. CipherXRay can further identify certain operation modes (e.g., ECB, CBC, CFB) of the identified block cipher and tell whether the identified block cipher operation is encryption or decryption in certain cases.We have empirically validated CipherXRay with OpenSSL, popular password safe KeePassX, the ciphers used by malware Stuxnet, Kraken and Agobot, and a number of third party softwares with built-in compression and checksum. CipherXRay is able to identify various cryptographic operations and recover cryptographic secrets that exist in memory for only a few microseconds. Our results demonstrate that current software implementations of cryptographic algorithms hardly achieve any secrecy if their execution can be monitored.Index Terms-Binary analysis, avalanche effect, key recovery attack on cryptosystem, transient cryptographic secret recovery, secrecy of monitored execution, reverse engineering.

show abstract

Revealing Packed Malware

Cited by 90 publications

References 0 publications

Malware Forensics: Discovery of the Intent of Deception

Malware Forensics: Discovery of the Intent of Deception

Packer Detection for Multi-Layer Executables Using Entropy Analysis

CipherXRay: Exposing Cryptographic Operations and Transient Secrets from Monitored Binary Execution

Contact Info

Product

Resources

About