Abstract
The proliferation of packed malware has posed a serious threat to computers connected to Internet across the globe. Packers are popular tools used by malware authors to hide malicious payloads that bypass traditional signature antiviruses (AV). Packing being the easiest way to defeat signature based detection, unpacking of samples is important. As unpacking is a time consuming pro- cess, it reduces overall efficiency of AV scanner. Unpacking is a compulsory step in malware analysis, else it would increase the rate of false alarms and misses. In this paper we propose PEAL, a pre–processing phase to identify packed executables from a set of packed and native files. Our method reduces overall execution time of AV by filtering packed samples from non-packed. Experimental results show that the proposed method is capable of identifying packed and native executables with high accuracy.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Lyda, R., Hamrock, J.: Using Entropy Analysis to Find Encrypted and Packed Malware. IEEE Security and Privacy, 40–45 (2007)
VX Heavens, http://vx.netlux.org/lib
Perdisci, R., Lanzi, A., Lee, W.: McBoost. In: Proceedings of the 24th ACSAC Anaheim (2008)
Ugarte-Pedrero, X., Santos, I., Bringas, P.: Structural Feature Based Anomaly Detection for Packed Executable Identification. In: Herrero, Á., Corchado, E. (eds.) CISIS 2011. LNCS, vol. 6694, pp. 230–237. Springer, Heidelberg (2011)
Guo, F., Ferrie, P., Chiueh, T.-c.: A Study of the Packer Problem and Its Solutions. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 98–115. Springer, Heidelberg (2008)
Shafiq, M.Z., Tabish, S.M., Mirza, F., Farooq, M.: PE-Miner: Mining Structural Information to Detect Malicious Executables in Realtime. In: Balzarotti, D. (ed.) RAID 2009. LNCS, vol. 5758, pp. 121–141. Springer, Heidelberg (2009)
Dai, J., Guha, R., Lee, J.: Feature Set Selection in Data Mining Techniques for Unknown Virus–Detection. In: A Comparison Study (CSIIRW), pp. 13–15 (2009)
Kohavi, R.: A Study of Cross–Validation and Bootstrap for Accuracy Estimation and Model Selection, pp. 1137–1143. Morgan Kaufmann (1995)
Ether-Xen Hypervisor, http://ether.gtisc.gatech.edu/source.html
OBJdump a PE Dumping Tool, http://sourceforge.net/projects/objdump
Symantec Threat Report (2011), http://www.symantec.com/business/threatreport/
Virustotal, http://www.virustotal.com/stats.html
Refaeilzadeh, P., Tang, L., Liu, H.: Cross–Validation. Encyclopedia of Database Systems, 532–538 (2009)
PEiD, www.peid.info
Yang-seo C., Ik–kyun K., Oh J., Ryou, J.-c.: PE File Header Analysis–Based Packed PE File Detection Technique (PHAD). In: ISCSA, pp. 28–31 (2008)
Treadwell, S., Zhou, M.: A Heuristic Approach for Detection of Obfuscated Malware. In: Proceedings of ISI, pp. 291–299. IEEE (2009)
ExeInfoPE, http://www.softpedia.com/get/Programming/Packerscryptersprotectors/
UPX: Ultimate Executable Packer, http://upx.sourceforge.net
Aspack: Executable Packer, http://www.aspack.com
PECompact: Executable Packer, http://www.pecompact.com
NSPack: Executable Packer, http://nspack.lastdownload.com
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Laxmi, V., Gaur, M.S., Faruki, P., Naval, S. (2012). PEAL—Packed Executable AnaLysis. In: Thilagam, P.S., Pais, A.R., Chandrasekaran, K., Balakrishnan, N. (eds) Advanced Computing, Networking and Security. ADCONS 2011. Lecture Notes in Computer Science, vol 7135. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-29280-4_28
Download citation
DOI: https://doi.org/10.1007/978-3-642-29280-4_28
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-29279-8
Online ISBN: 978-3-642-29280-4
eBook Packages: Computer ScienceComputer Science (R0)