Automatic Static Unpacking of Malware Binaries

Author

Coogan, Kevin ; Debray, Saumya ; Kaochar, Tasneem ; Townsend, Gregg

Author_Institution

Dept. of Comput. Sci., Univ. of Arizona, Tucson, AZ, USA

fYear

2009

fDate

13-16 Oct. 2009

Firstpage

167

Lastpage

176

Abstract

Current malware is often transmitted in packed or encrypted form to prevent examination by anti-virus software. To analyze new malware, researchers typically resort to dynamic code analysis techniques to unpack the code for examination. Unfortunately, these dynamic techniques are susceptible to a variety of anti-monitoring defenses, as well as "time bombs" or "logic bombs," and can be slow and tedious to identify and disable. This paper discusses an alternative approach that relies on static analysis techniques to automate this process. Alias analysis can be used to identify the existence of unpacking, static slicing can identify the unpacking code, and control flow analysis can be used to identify and neutralize dynamic defenses. The identified unpacking code can be instrumented and transformed, then executed to perform the unpacking.We present a working prototype that can handle a variety of malware binaries, packed with both custom and commercial packers, and containing several examples of dynamic defenses.

Keywords

cryptography; data flow analysis; invasive software; antimonitoring defense; antivirus software; automatic static malware binaries unpacking; control flow analysis; dynamic code analysis; encryption; logic bomb; static analysis; static slicing; time bomb; Automatic control; Computer science; Computer worms; Cryptography; Explosives; Instruments; Logic; Prototypes; Reverse engineering; Weapons; analysis; dynamic defenses; static unpacking;

fLanguage

English

Publisher

ieee

Conference_Titel

Reverse Engineering, 2009. WCRE '09. 16th Working Conference on

Conference_Location

Lille

ISSN

1095-1350

Print_ISBN

978-0-7695-3867-9

Type

conf

DOI

10.1109/WCRE.2009.24

Filename

5328814