Automatic Static Unpacking of Malware Binaries

W
WCRE
2009
2009 16th Working Conference on Reverse Engineering
Abstract - Automatic Static Unpacking of Malware Binaries

	This Article
	Subscribers, please Login Purchase article: $19 PDF RSS feed
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Kevin Coogan Articles by Saumya Debray Articles by Tasneem Kaochar Articles by Gregg Townsend

2009 16th Working Conference on Reverse Engineering

Lille, France

October 13-October 16

ISBN: 978-0-7695-3867-9

	ASCII Text	x
	Kevin Coogan, Saumya Debray, Tasneem Kaochar, Gregg Townsend, "Automatic Static Unpacking of Malware Binaries," Reverse Engineering, Working Conference on, pp. 167-176, 2009 16th Working Conference on Reverse Engineering, 2009.

	BibTex	x
	@article{ 10.1109/WCRE.2009.24, author = {Kevin Coogan and Saumya Debray and Tasneem Kaochar and Gregg Townsend}, title = {Automatic Static Unpacking of Malware Binaries}, journal ={Reverse Engineering, Working Conference on}, volume = {0}, year = {2009}, issn = {1095-1350}, pages = {167-176}, doi = {http://doi.ieeecomputersociety.org/10.1109/WCRE.2009.24}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - CONF JO - Reverse Engineering, Working Conference on TI - Automatic Static Unpacking of Malware Binaries SN - 1095-1350 SP167 EP176 A1 - Kevin Coogan, A1 - Saumya Debray, A1 - Tasneem Kaochar, A1 - Gregg Townsend, PY - 2009 KW - analysis KW - static unpacking KW - dynamic defenses VL - 0 JA - Reverse Engineering, Working Conference on ER -

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/WCRE.2009.24

Current malware is often transmitted in packed or encrypted form to prevent examination by anti-virus software.To analyze new malware, researchers typically resort to dynamic code analysis techniques to unpack the code for examination.Unfortunately, these dynamic techniques are susceptible to a variety of anti-monitoring defenses, as well as "time bombs" or "logic bombs," and can be slow and tedious to identify and disable. This paper discusses an alternative approach that relies on static analysis techniques to automate this process. Alias analysis can be used to identify the existence of unpacking,static slicing can identify the unpacking code, and control flow analysis can be used to identify and neutralize dynamic defenses. The identified unpacking code can be instrumented and transformed, then executed to perform the unpacking.We present a working prototype that can handle a variety of malware binaries, packed with both custom and commercial packers, and containing several examples of dynamic defenses.

Index Terms:

analysis, static unpacking, dynamic defenses

Citation:

Kevin Coogan, Saumya Debray, Tasneem Kaochar, Gregg Townsend, "Automatic Static Unpacking of Malware Binaries," wcre, pp.167-176, 2009 16th Working Conference on Reverse Engineering, 2009

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.