TY - GEN
T1 - Automatic static unpacking of malware binaries
AU - Coogan, Kevin
AU - Debray, Saumya
AU - Kaochar, Tasneem
AU - Townsend, Gregg
PY - 2009
Y1 - 2009
N2 - Current malware is often transmitted in packed or encrypted form to prevent examination by anti-virus software. To analyze new malware, researchers typically resort to dynamic code analysis techniques to unpack the code for examination. Unfortunately, these dynamic techniques are susceptible to a variety of anti-monitoring defenses, as well as "time bombs" or "logic bombs," and can be slow and tedious to identify and disable. This paper discusses an alternative approach that relies on static analysis techniques to automate this process. Alias analysis can be used to identify the existence of unpacking, static slicing can identify the unpacking code, and control flow analysis can be used to identify and neutralize dynamic defenses. The identified unpacking code can be instrumented and transformed, then executed to perform the unpacking. We present a working prototype that can handle a variety of malware binaries, packed with both custom and commercial packers, and containing several examples of dynamic defenses.
AB - Current malware is often transmitted in packed or encrypted form to prevent examination by anti-virus software. To analyze new malware, researchers typically resort to dynamic code analysis techniques to unpack the code for examination. Unfortunately, these dynamic techniques are susceptible to a variety of anti-monitoring defenses, as well as "time bombs" or "logic bombs," and can be slow and tedious to identify and disable. This paper discusses an alternative approach that relies on static analysis techniques to automate this process. Alias analysis can be used to identify the existence of unpacking, static slicing can identify the unpacking code, and control flow analysis can be used to identify and neutralize dynamic defenses. The identified unpacking code can be instrumented and transformed, then executed to perform the unpacking. We present a working prototype that can handle a variety of malware binaries, packed with both custom and commercial packers, and containing several examples of dynamic defenses.
KW - Analysis
KW - Dynamic defenses
KW - Malware
KW - Static unpacking
UR - http://www.scopus.com/inward/record.url?scp=73449135786&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=73449135786&partnerID=8YFLogxK
U2 - 10.1109/WCRE.2009.24
DO - 10.1109/WCRE.2009.24
M3 - Conference contribution
AN - SCOPUS:73449135786
SN - 9780769538679
T3 - Proceedings - Working Conference on Reverse Engineering, WCRE
SP - 167
EP - 176
BT - Proceedings - 16th Working Conference on Reverse Engineering, WCRE 2009
T2 - 16th Working Conference on Reverse Engineering, WCRE 2009
Y2 - 13 October 2009 through 16 October 2009
ER -