Skip to main content
SpringerLink
Log in

DynODet: Detecting Dynamic Obfuscation in Malware

  • Conference paper
  • First Online:
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10327))

Abstract

Malicious software, better known as malware, is a major threat to society. Malware today typically employ a technique called obfuscation. Obfuscation detection in malware is a well-documented problem and has been analyzed using dynamic analysis. However, many tools that detect obfuscation in malware make no attempts to use the presence of obfuscation as a method of detecting malware because their schemes would also detect benign applications. We present three main contributions. First, we conduct a unique study into the prevalence of obfuscation in benign applications. Second, we create discriminating features that can distinguish obfuscation in benign applications versus malware. Third, we prove that using the presence of obfuscation can detect previously hard-to-detect malware. Our results show that for our set of programs, we are able to reduce the number of malware missed by five market-leading AV tools by 25% while only falsely detecting 2.45% of tested benign applications.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    A CTI is called direct where the CTI’s target is a constant; otherwise it is called indirect.

References

  1. Anckaert, B., Madou, M., Bosschere, K.: A model for self-modifying code. In: Camenisch, J.L., Collberg, C.S., Johnson, N.F., Sallee, P. (eds.) IH 2006. LNCS, vol. 4437, pp. 232–248. Springer, Heidelberg (2007). doi:10.1007/978-3-540-74124-4_16

    Chapter  Google Scholar 

  2. Bania, P.: Generic unpacking of self-modifying, aggressive, packed binary programs. arXiv preprint (2009). arXiv:0905.4581

  3. Bayer, U., Moser, A., Kruegel, C., Kirda, E.: Dynamic analysis of malicious code. J. Comput. Virol. 2(1), 67–77 (2006)

    Article  Google Scholar 

  4. Blackburn, S.M., Garner, R., Hoffmann, C., Khang, A.M., McKinley, K.S., Bentzur, R., Diwan, A., Feinberg, D., Frampton, D., Guyer, S.Z., et al.: The dacapo benchmarks: java benchmarking development and analysis. In: ACM Sigplan Notices, vol. 41, pp. 169–190. ACM (2006)

    Google Scholar 

  5. Collberg, C., Thomborson, C., Low, D.: A taxonomy of obfuscating transformations. Department of Computer Science, The University of Auckland, New Zealand, Technical report (1997)

    Google Scholar 

  6. Microsoft Corporation: What is data execution prevention? May 2016

    Google Scholar 

  7. Microsoft Corporation: Internet security threat report 21, 5, April 2016

    Google Scholar 

  8. Debray, S., Patel, J.: Reverse engineering self-modifying code: unpacker extraction. In: 2010 17th Working Conference on Reverse Engineering (WCRE), pp. 131–140. IEEE (2010)

    Google Scholar 

  9. Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 51–62. ACM (2008)

    Google Scholar 

  10. Ghosh, S., Hiser, J., Davidson, J.W.: Software protection for dynamically-generated code. In: Proceedings of the 2nd ACM SIGPLAN Program Protection and Reverse Engineering Workshop, p. 1. ACM (2013)

    Google Scholar 

  11. Guarnieri, C., Tanasi, A., Bremer, J., Schloesser, M.: The cuckoo sandbox (2012)

    Google Scholar 

  12. Hungenberg, T., Eckert, M.: Inetsim: internet services simulation suite (2013)

    Google Scholar 

  13. Kang, M.G., Poosankam, P., Yin, H.: Renovo: a hidden code extractor for packed executables. In: Proceedings of the 2007 ACM Workshop on Recurring Malcode, pp. 46–53. ACM (2007)

    Google Scholar 

  14. Kapoor, A.: An approach towards disassembly of malicious binary executables. Ph.D. thesis, University of Louisiana at Lafayette (2004)

    Google Scholar 

  15. Kivity, A., Kamay, Y., Laor, D., Lublin, U., Liguori, A.: KVM: the Linux virtual machine monitor. In: Proceedings of the Linux Symposium, vol. 1, pp. 225–230 (2007)

    Google Scholar 

  16. Kwon, B.J., Mondal, J., Jang, J., Bilge, L., Dumitras, T.: The dropper effect: insights into malware distribution with downloader graph analytics. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1118–1129. ACM (2015)

    Google Scholar 

  17. Luk, C.K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin: building customized program analysis tools with dynamic instrumentation. In: ACM Sigplan Notices, vol. 40, pp. 190–200. ACM (2005)

    Google Scholar 

  18. Madou, M., Van Put, L., De Bosschere, K.: Understanding obfuscated code. In: 14th IEEE International Conference on Program Comprehension (ICPC 2006), pp. 268–274. IEEE (2006)

    Google Scholar 

  19. Maebe, J., De Bosschere, K.: Instrumenting self-modifying code. arXiv preprint cs/0309029 (2003)

    Google Scholar 

  20. Martignoni, L., Christodorescu, M., Jha, S.: OmniUnpack: fast, generic, and safe unpacking of malware. In: Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007), pp. 431–441. IEEE (2007)

    Google Scholar 

  21. Moser, A., Kruegel, C., Kirda, E.: Limits of static analysis for malware detection. In: Twenty-third Annual Computer Security Applications Conference (ACSAC 2007), pp. 421–430. IEEE (2007)

    Google Scholar 

  22. O’Kane, P., Sezer, S., McLaughlin, K.: Obfuscation: the hidden malware. IEEE Secur. Priv. 9(5), 41–47 (2011)

    Article  Google Scholar 

  23. Pike, R., Locanthi, B., Reiser, J.: Hardware/software trade-offs for bitmap graphics on the blit. Softw. Pract. Exper. 15(2), 131–151 (1985)

    Article  Google Scholar 

  24. Popov, I.V., Debray, S.K., Andrews, G.R.: Binary obfuscation using signals. In: Usenix Security (2007)

    Google Scholar 

  25. Prakash, C.: Design of x86 emulator for generic unpacking. In: Assocation of Anti-Virus Asia Researchers International Conference, Seoul, South Korea (2007)

    Google Scholar 

  26. Quist, D.A., Liebrock, L.M.: Visualizing compiled executables for malware analysis. In: 6th International Workshop on Visualization for Cyber Security (VizSec 2009), pp. 27–32. IEEE (2009)

    Google Scholar 

  27. Quist, D., Smith, V.: Covert debugging circumventing software armoring techniques. Black hat briefings USA (2007)

    Google Scholar 

  28. Rabek, J.C., Khazan, R.I., Lewandowski, S.M., Cunningham, R.K.: Detection of injected, dynamically generated, and obfuscated malicious code. In: Proceedings of the 2003 ACM Workshop on Rapid Malcode, pp. 76–82. ACM (2003)

    Google Scholar 

  29. Rodrigues, T.: Extracting known bad hash set from nsrl. https://digital-forensics.sans.org/blog/2010/02/22/extracting-known-bad-hashset-from-nsrl/

  30. Roundy, K.A., Miller, B.P.: Binary-code obfuscations in prevalent packer tools. ACM J. Name 1, 21 (2012)

    Google Scholar 

  31. Royal, P., Halpin, M., Dagon, D., Edmonds, R., Lee, W.: PolyUnpack: automating the hidden-code extraction of unpack-executing malware. In: Null, pp. 289–300. IEEE (2006)

    Google Scholar 

  32. Santos, I., Devesa, J., Brezo, F., Nieves, J., Bringas, P.G.: Opem: a static-dynamic approach for machine-learning-based malware detection. In: Herrero, A., et al. (eds.) International Joint Conference CISIS ’12-ICEUTE ’12-SOCO ’12 Special Sessions. AISC, vol. 189, pp. 271–280. Springer, Heidelberg (2013). doi:10.1007/978-3-642-33018-6

    Chapter  Google Scholar 

  33. Sharif, M., Lanzi, A., Giffin, J., Lee, W.: Automatic reverse engineering of malware emulators. In: 2009 30th IEEE Symposium on Security and Privacy, pp. 94–109. IEEE (2009)

    Google Scholar 

  34. Song, D., et al.: BitBlaze: a new approach to computer security via binary analysis. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 1–25. Springer, Heidelberg (2008). doi:10.1007/978-3-540-89862-7_1

    Chapter  Google Scholar 

  35. National Institute of Standards and Technology: National software reference library. Online

    Google Scholar 

  36. Stewart, J.: Ollybone: semi-automatic unpacking on IA-32. In: Proceedings of the 14th DEF CON Hacking Conference (2006)

    Google Scholar 

  37. Wang, X., Jhi, Y.C., Zhu, S., Liu, P.: Still: exploit code detection via static taint and initialization analyses. In: Annual Computer Security Applications Conference (ACSAC 2008), pp. 289–298. IEEE (2008)

    Google Scholar 

  38. Wang, Y.M., Vo, B., Roussev, R., Verbowski, C., Johnson, A.: Strider ghostbuster: why it’s a bad idea for stealth software to hide files. Technical report, Technical Report MSR-TR-2004-71, Microsoft Research (2004)

    Google Scholar 

  39. Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using CWSandbox. IEEE Secur. Priv. 2, 32–39 (2007)

    Article  Google Scholar 

  40. Ying, L., Su, P., Feng, D., Wang, X., Yang, Y., Liu, Y.: Reconbin: reconstructing binary file from execution for software analysis. In: Third IEEE International Conference on Secure Software Integration and Reliability Improvement (SSIRI 2009), pp. 222–229. IEEE (2009)

    Google Scholar 

  41. Yuschuk, O.: Ollydbg (2007)

    Google Scholar 

Download references

Acknowledgments

The research was sponsored in part by contracts H9823013D00560016 and H9823013D00560037 from the US Department of Defense via the Maryland Procurement Office. The ARCS Foundation has also played a role in funding the research.

Author information

Authors and Affiliations

  1. University of Maryland, College Park, USA

    Danny Kim, Amir Majlesi-Kupaei & Rajeev Barua

  2. SecondWrite LLC, College Park, USA

    Julien Roy, Kapil Anand & Khaled ElWazeer

  3. Laboratory of Telecommunications Sciences, College Park, USA

    Daniel Buettner

Authors
  1. Danny Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Amir Majlesi-Kupaei
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Julien Roy
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Kapil Anand
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Khaled ElWazeer
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Daniel Buettner
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Rajeev Barua
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Danny Kim .

Editor information

Editors and Affiliations

  1. Stony Brook University, Stony Brook, New York, USA

    Michalis Polychronakis

  2. University of Bonn and Fraunhofer FKIE, Bonn, Germany

    Michael Meier

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Kim, D. et al. (2017). DynODet: Detecting Dynamic Obfuscation in Malware. In: Polychronakis, M., Meier, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2017. Lecture Notes in Computer Science(), vol 10327. Springer, Cham. https://doi.org/10.1007/978-3-319-60876-1_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-60876-1_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-60875-4

  • Online ISBN: 978-3-319-60876-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation