Advertisement

A Study of the Packer Problem and Its Solutions

  • Fanglu Guo
  • Peter Ferrie
  • Tzi-cker Chiueh
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5230)

Abstract

An increasing percentage of malware programs distributed in the wild are packed by packers, which are programs that transform an input binary’s appearance without affecting its execution semantics, to create new malware variants that can evade signature-based malware detection tools. This paper reports the results of a comprehensive study of the extent of the packer problem based on data collected at Symantec and the effectiveness of existing solutions to this problem. Then the paper presents a generic unpacking solution called Justin (Just-In-Time AV scanning), which is designed to detect the end of unpacking of a packed binary’s run and invoke AV scanning against the process image at that time. For accurate end-to-unpacking detection, Justin incorporates the following heuristics: Dirty Page Execution, Unpacker Memory Avoidance, Stack Pointer Check and Command-Line Argument Access. Empirical testing shows that when compared with SymPack, which contains a set of manually created unpackers for a collection of selective packers, Justin’s effectiveness is comparable to SymPack for those binaries packed by these supported packers, and is much better than SymPack for binaries packed by those that SymPack does not support.

Keywords

Packer Problem Packed Binary Performance Overhead Control Transfer Memory Image 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Oberhumer, M.F., Molnár, L., Reiser, J.F.: UPX: the Ultimate Packer for eXecutables (2007), http://upx.sourceforge.net/
  2. 2.
    ASPACK SOFTWARE, ASPack for Windows (2007), http://www.aspack.com/aspack.html
  3. 3.
    bart, FSG: [F]ast [S]mall [G]ood exe packer (2005), http://www.xtreeme.prv.pl/
  4. 4.
    Dwing, WinUpack 0.39final (2006), http://dwing.51.net/
  5. 5.
    Oreans Technology, Themida: Advanced Windows Software Protection System (2008), http://www.oreans.com/themida.php
  6. 6.
    Silicon Realms, Armadillo/SoftwarePassport (2008), http://www.siliconrealms.com/
  7. 7.
    Blinkinc, Shrinker 3.4 (2008), http://www.blinkinc.com/shrinker.htm
  8. 8.
    Ferrie, P.: Attacks on Virtual Machines. In: Proceedings 9th Annual AVAR International Conference (2006)Google Scholar
  9. 9.
    VMProtect, VMProtect (2008), http://www.vmprotect.ru/
  10. 10.
    Symantec Corporation (2008), http://www.symantec.com/
  11. 11.
    Lyda, R., Hamrock, J.: Using entropy analysis to find encrypted and packed malware. IEEE Security and Privacy 5(2), 40–45 (2007)CrossRefGoogle Scholar
  12. 12.
    Prakash, C.: Design of X86 Emulator for Generic Unpacking. In: Proceedings of 10th Annual AVAR International Conference (2007)Google Scholar
  13. 13.
    Tan, X.: Anti-unpacker Tricks in Malicious Code. In: Proceedings of 10th Annual AVAR International Conference (2007)Google Scholar
  14. 14.
    Royal, P., Halpin, M., Dagon, D., Edmonds, R., Lee, W.: Polyunpack: Automating the hidden-code extraction of unpack-executing malware. In: ACSAC 2006: Proceedings of the 22nd Annual Computer Security Applications Conference on Annual Computer Security Applications Conference, pp. 289–300 (2006)Google Scholar
  15. 15.
    Kang, M.G., Poosankam, P., Yin, H.: Renovo: A hidden code extractor for packed executables. In: Proceedings of the 5th ACM Workshop on Recurring Malcode (WORM) (Oct. 2007)Google Scholar
  16. 16.
    Stewart, J.: OllyBonE v0.1, Break-on-Execute for OllyDbg (2006), http://www.joestewart.org/ollybone/
  17. 17.
    Quist, D., Valsmith,: Covert Debugging: Circumventing Software Armoring. In: Proceedings of Black Hat USA (2007)Google Scholar
  18. 18.
    Martignoni, L., Christodorescu, M., Jha, S.: OmniUnpack: Fast, Generic, and Safe Unpacking of Malware. In: 23rd Annual Computer Security Applications Conference (ACSAC) (2007)Google Scholar
  19. 19.
    Nanda, S., Li, W., chung Lam, L., cker Chiueh, T.: BIRD: Binary Interpretation using Runtime Disassembly. In: Proceedings of the 4th IEEE/ACM Conference on Code Generation and Optimization (CGO 2006) (2006)Google Scholar
  20. 20.

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Fanglu Guo
    • 1
  • Peter Ferrie
    • 1
  • Tzi-cker Chiueh
    • 1
  1. 1.Symantec Research Laboratories 

Personalised recommendations