Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Recent Advances in Intrusion Detection

RAID 2008: Recent Advances in Intrusion Detection pp 98–115Cite as

A Study of the Packer Problem and Its Solutions

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5230))

Abstract

An increasing percentage of malware programs distributed in the wild are packed by packers, which are programs that transform an input binary’s appearance without affecting its execution semantics, to create new malware variants that can evade signature-based malware detection tools. This paper reports the results of a comprehensive study of the extent of the packer problem based on data collected at Symantec and the effectiveness of existing solutions to this problem. Then the paper presents a generic unpacking solution called Justin (Just-In-Time AV scanning), which is designed to detect the end of unpacking of a packed binary’s run and invoke AV scanning against the process image at that time. For accurate end-to-unpacking detection, Justin incorporates the following heuristics: Dirty Page Execution, Unpacker Memory Avoidance, Stack Pointer Check and Command-Line Argument Access. Empirical testing shows that when compared with SymPack, which contains a set of manually created unpackers for a collection of selective packers, Justin’s effectiveness is comparable to SymPack for those binaries packed by these supported packers, and is much better than SymPack for binaries packed by those that SymPack does not support.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   89.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Oberhumer, M.F., Molnár, L., Reiser, J.F.: UPX: the Ultimate Packer for eXecutables (2007), http://upx.sourceforge.net/

  2. ASPACK SOFTWARE, ASPack for Windows (2007), http://www.aspack.com/aspack.html

  3. bart, FSG: [F]ast [S]mall [G]ood exe packer (2005), http://www.xtreeme.prv.pl/

  4. Dwing, WinUpack 0.39final (2006), http://dwing.51.net/

  5. Oreans Technology, Themida: Advanced Windows Software Protection System (2008), http://www.oreans.com/themida.php

  6. Silicon Realms, Armadillo/SoftwarePassport (2008), http://www.siliconrealms.com/

  7. Blinkinc, Shrinker 3.4 (2008), http://www.blinkinc.com/shrinker.htm

  8. Ferrie, P.: Attacks on Virtual Machines. In: Proceedings 9th Annual AVAR International Conference (2006)

    Google Scholar 

  9. VMProtect, VMProtect (2008), http://www.vmprotect.ru/

  10. Symantec Corporation (2008), http://www.symantec.com/

  11. Lyda, R., Hamrock, J.: Using entropy analysis to find encrypted and packed malware. IEEE Security and Privacy 5(2), 40–45 (2007)

    Article  Google Scholar 

  12. Prakash, C.: Design of X86 Emulator for Generic Unpacking. In: Proceedings of 10th Annual AVAR International Conference (2007)

    Google Scholar 

  13. Tan, X.: Anti-unpacker Tricks in Malicious Code. In: Proceedings of 10th Annual AVAR International Conference (2007)

    Google Scholar 

  14. Royal, P., Halpin, M., Dagon, D., Edmonds, R., Lee, W.: Polyunpack: Automating the hidden-code extraction of unpack-executing malware. In: ACSAC 2006: Proceedings of the 22nd Annual Computer Security Applications Conference on Annual Computer Security Applications Conference, pp. 289–300 (2006)

    Google Scholar 

  15. Kang, M.G., Poosankam, P., Yin, H.: Renovo: A hidden code extractor for packed executables. In: Proceedings of the 5th ACM Workshop on Recurring Malcode (WORM) (Oct. 2007)

    Google Scholar 

  16. Stewart, J.: OllyBonE v0.1, Break-on-Execute for OllyDbg (2006), http://www.joestewart.org/ollybone/

  17. Quist, D., Valsmith,: Covert Debugging: Circumventing Software Armoring. In: Proceedings of Black Hat USA (2007)

    Google Scholar 

  18. Martignoni, L., Christodorescu, M., Jha, S.: OmniUnpack: Fast, Generic, and Safe Unpacking of Malware. In: 23rd Annual Computer Security Applications Conference (ACSAC) (2007)

    Google Scholar 

  19. Nanda, S., Li, W., chung Lam, L., cker Chiueh, T.: BIRD: Binary Interpretation using Runtime Disassembly. In: Proceedings of the 4th IEEE/ACM Conference on Code Generation and Optimization (CGO 2006) (2006)

    Google Scholar 

  20. NX bit, http://en.wikipedia.org/wiki/NX_bit

Download references

Author information

Authors and Affiliations

  1. Symantec Research Laboratories,  

    Fanglu Guo, Peter Ferrie & Tzi-cker Chiueh

Authors
  1. Fanglu Guo
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Peter Ferrie
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Tzi-cker Chiueh
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Richard Lippmann Engin Kirda Ari Trachtenberg

Rights and permissions

Reprints and permissions

Copyright information

© 2008 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Guo, F., Ferrie, P., Chiueh, Tc. (2008). A Study of the Packer Problem and Its Solutions. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds) Recent Advances in Intrusion Detection. RAID 2008. Lecture Notes in Computer Science, vol 5230. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-87403-4_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-87403-4_6

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-87402-7

  • Online ISBN: 978-3-540-87403-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation