Static Analyzer of Vicious Executables (SAVE)
ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
The Art of Computer Virus Research and Defense
The Art of Computer Virus Research and Defense
A Method for Detecting Obfuscated Calls in Malicious Binaries
IEEE Transactions on Software Engineering
Deobfuscation: Reverse Engineering Obfuscated Code
WCRE '05 Proceedings of the 12th Working Conference on Reverse Engineering
A semantics-based approach to malware detection
Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Analyzing network traffic to detect self-decrypting exploit code
ASIACCS '07 Proceedings of the 2nd ACM symposium on Information, computer and communications security
Using Entropy Analysis to Find Encrypted and Packed Malware
IEEE Security and Privacy
Statistical detection of malicious PE-Executables for fast offline analysis
CMS'10 Proceedings of the 11th IFIP TC 6/TC 11 international conference on Communications and Multimedia Security
PEAL--Packed executable analysis
ADCONS'11 Proceedings of the 2011 international conference on Advanced Computing, Networking and Security
| Hi-index | 0.00 |
Obfuscated malware has become popular because of pure benefits brought by obfuscation: low cost and readily availability of obfuscation tools accompanied with good result of evading signature based antivirus detection as well as prevention of reverse engineer from understanding malwares' true nature. Regardless obfuscation methods, a malware must deobfuscate its core code back to clear executable machine code so that malicious portion will be executed. Thus, to analyze the obfuscation pattern before unpacking provide a chance for us to prevent malware from further execution. In this paper, we propose a heuristic detection approach that targets obfuscated windows binary files being loaded into memory - prior to execution. We perform a series of static check on binary file's PE structure for common traces of a packer or obfuscation, and gauge a binary's maliciousness with a simple risk rating mechanism. As a result, a newly created process, if flagged as possibly malicious by the static screening, will be prevented from further execution. This paper explores the foundation of this research, as well as the testing methodology and current results.