Abstract
An increasing percentage of malware programs distributed in the wild are packed by packers, which are programs that transform an input binary’s appearance without affecting its execution semantics, to create new malware variants that can evade signature-based malware detection tools. This paper reports the results of a comprehensive study of the extent of the packer problem based on data collected at Symantec and the effectiveness of existing solutions to this problem. Then the paper presents a generic unpacking solution called Justin (Just-In-Time AV scanning), which is designed to detect the end of unpacking of a packed binary’s run and invoke AV scanning against the process image at that time. For accurate end-to-unpacking detection, Justin incorporates the following heuristics: Dirty Page Execution, Unpacker Memory Avoidance, Stack Pointer Check and Command-Line Argument Access. Empirical testing shows that when compared with SymPack, which contains a set of manually created unpackers for a collection of selective packers, Justin’s effectiveness is comparable to SymPack for those binaries packed by these supported packers, and is much better than SymPack for binaries packed by those that SymPack does not support.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Oberhumer, M.F., Molnár, L., Reiser, J.F.: UPX: the Ultimate Packer for eXecutables (2007), http://upx.sourceforge.net/
ASPACK SOFTWARE, ASPack for Windows (2007), http://www.aspack.com/aspack.html
bart, FSG: [F]ast [S]mall [G]ood exe packer (2005), http://www.xtreeme.prv.pl/
Dwing, WinUpack 0.39final (2006), http://dwing.51.net/
Oreans Technology, Themida: Advanced Windows Software Protection System (2008), http://www.oreans.com/themida.php
Silicon Realms, Armadillo/SoftwarePassport (2008), http://www.siliconrealms.com/
Blinkinc, Shrinker 3.4 (2008), http://www.blinkinc.com/shrinker.htm
Ferrie, P.: Attacks on Virtual Machines. In: Proceedings 9th Annual AVAR International Conference (2006)
VMProtect, VMProtect (2008), http://www.vmprotect.ru/
Symantec Corporation (2008), http://www.symantec.com/
Lyda, R., Hamrock, J.: Using entropy analysis to find encrypted and packed malware. IEEE Security and Privacy 5(2), 40–45 (2007)
Prakash, C.: Design of X86 Emulator for Generic Unpacking. In: Proceedings of 10th Annual AVAR International Conference (2007)
Tan, X.: Anti-unpacker Tricks in Malicious Code. In: Proceedings of 10th Annual AVAR International Conference (2007)
Royal, P., Halpin, M., Dagon, D., Edmonds, R., Lee, W.: Polyunpack: Automating the hidden-code extraction of unpack-executing malware. In: ACSAC 2006: Proceedings of the 22nd Annual Computer Security Applications Conference on Annual Computer Security Applications Conference, pp. 289–300 (2006)
Kang, M.G., Poosankam, P., Yin, H.: Renovo: A hidden code extractor for packed executables. In: Proceedings of the 5th ACM Workshop on Recurring Malcode (WORM) (Oct. 2007)
Stewart, J.: OllyBonE v0.1, Break-on-Execute for OllyDbg (2006), http://www.joestewart.org/ollybone/
Quist, D., Valsmith,: Covert Debugging: Circumventing Software Armoring. In: Proceedings of Black Hat USA (2007)
Martignoni, L., Christodorescu, M., Jha, S.: OmniUnpack: Fast, Generic, and Safe Unpacking of Malware. In: 23rd Annual Computer Security Applications Conference (ACSAC) (2007)
Nanda, S., Li, W., chung Lam, L., cker Chiueh, T.: BIRD: Binary Interpretation using Runtime Disassembly. In: Proceedings of the 4th IEEE/ACM Conference on Code Generation and Optimization (CGO 2006) (2006)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Guo, F., Ferrie, P., Chiueh, Tc. (2008). A Study of the Packer Problem and Its Solutions. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds) Recent Advances in Intrusion Detection. RAID 2008. Lecture Notes in Computer Science, vol 5230. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-87403-4_6
Download citation
DOI: https://doi.org/10.1007/978-3-540-87403-4_6
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-87402-7
Online ISBN: 978-3-540-87403-4
eBook Packages: Computer ScienceComputer Science (R0)