The Community for Technology Leaders
Computer Security Applications Conference, Annual (2006)
Miami Beach, Florida, USA
Dec. 11, 2006 to Dec. 15, 2006
ISSN: 1063-9527
ISBN: 0-7695-2716-7
pp: 289-300
Robert Edmonds , Georgia Institute of Technology, USA
Paul Royal , Georgia Institute of Technology, USA
Mitch Halpin , Georgia Institute of Technology, USA
Wenke Lee , Georgia Institute of Technology, USA
David Dagon , Georgia Institute of Technology, USA
ABSTRACT
Modern malware often hide the malicious portion of their program code by making it appear as data at compile-time and transforming it back into executable code at runtime. This obfuscation technique poses obstacles to researchers who want to understand the malicious behavior of new or unknown malware and to practitioners who want to create models of detection and methods of recovery. In this paper we propose a technique for automating the process of extracting the hidden-code bodies of this class of malware. Our approach is based on the observation that sequences of packed or hidden code in a malware instance can be made self-identifying when its runtime execution is checked against its static code model. In deriving our technique, we formally define the unpack-executing behavior that such malware exhibits and devise an algorithm for identifying and extracting its hidden-code. We also provide details of the implementation and evaluation of our extraction technique; the results from our experiments on several thousand malware binaries show our approach can be used to significantly reduce the time required to analyze such malware, and to improve the performance of malware detection tools.
INDEX TERMS
null
CITATION
Robert Edmonds, Paul Royal, Mitch Halpin, Wenke Lee, David Dagon, "PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware", Computer Security Applications Conference, Annual, vol. 00, no. , pp. 289-300, 2006, doi:10.1109/ACSAC.2006.38
111 ms
(Ver )