Analyzing network traffic to detect self-decrypting exploit code
ASIACCS '07 Proceedings of the 2nd ACM symposium on Information, computer and communications security
Renovo: a hidden code extractor for packed executables
Proceedings of the 2007 ACM workshop on Recurring malcode
A case study of the rustock rootkit and spam bot
HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
A scalable multi-level feature extraction technique to detect malicious executables
Information Systems Frontiers
Rethinking antivirus: executable analysis in the network cloud
HOTSEC'07 Proceedings of the 2nd USENIX workshop on Hot topics in security
Classification of packed executables for accurate computer virus detection
Pattern Recognition Letters
A Study of the Packer Problem and Its Solutions
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Ether: malware analysis via hardware virtualization extensions
Proceedings of the 15th ACM conference on Computer and communications security
Malware detection using adaptive data compression
Proceedings of the 1st ACM workshop on Workshop on AISec
Eureka: A Framework for Enabling Static Malware Analysis
ESORICS '08 Proceedings of the 13th European Symposium on Research in Computer Security: Computer Security
SS'08 Proceedings of the 17th conference on Security symposium
Hypervisor support for identifying covertly executing binaries
SS'08 Proceedings of the 17th conference on Security symposium
Stealthy video capturer: a new video-based spyware in 3G smartphones
Proceedings of the second ACM conference on Wireless network security
Reconstructing a Packed DLL Binary for Static Analysis
ISPEC '09 Proceedings of the 5th International Conference on Information Security Practice and Experience
Effective and efficient malware detection at the end host
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
PolyPack: an automated online packing service for optimal antivirus evasion
WOOT'09 Proceedings of the 3rd USENIX conference on Offensive technologies
Classification of malware using structured control flow
AusPDC '10 Proceedings of the Eighth Australasian Symposium on Parallel and Distributed Computing - Volume 107
dAnubis: dynamic device driver analysis based on virtual machine introspection
DIMVA'10 Proceedings of the 7th international conference on Detection of intrusions and malware, and vulnerability assessment
Hybrid analysis and control of malware
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Determining malicious executable distinguishing attributes and low-complexity detection
Journal in Computer Virology
Improving antivirus accuracy with hypervisor assisted analysis
Journal in Computer Virology
Thwarting real-time dynamic unpacking
Proceedings of the Fourth European Workshop on System Security
Opcode-sequence-based semi-supervised unknown malware detection
CISIS'11 Proceedings of the 4th international conference on Computational intelligence in security for information systems
Structural feature based anomaly detection for packed executable identification
CISIS'11 Proceedings of the 4th international conference on Computational intelligence in security for information systems
Collective classification for packed executable identification
Proceedings of the 8th Annual Collaboration, Electronic messaging, Anti-Abuse and Spam Conference
BitShred: feature hashing malware for scalable triage and semantic analysis
Proceedings of the 18th ACM conference on Computer and communications security
Proceedings of the 18th ACM conference on Computer and communications security
FORECAST: skimming off the malware cream
Proceedings of the 27th Annual Computer Security Applications Conference
A survey on automated dynamic malware-analysis techniques and tools
ACM Computing Surveys (CSUR)
Denial-of-Service attacks on host-based generic unpackers
ICICS'09 Proceedings of the 11th international conference on Information and Communications Security
Impeding automated malware analysis with environment-sensitive malware
HotSec'12 Proceedings of the 7th USENIX conference on Hot Topics in Security
Improving malware classification: bridging the static/dynamic gap
Proceedings of the 5th ACM workshop on Security and artificial intelligence
PeerPress: utilizing enemies' P2P strength against them
Proceedings of the 2012 ACM conference on Computer and communications security
A practical approach for detecting executable codes in network traffic
APNOMS'07 Proceedings of the 10th Asia-Pacific conference on Network Operations and Management Symposium: managing next generation networks and services
Malware classification based on extracted API sequences using static analysis
Proceedings of the Asian Internet Engineeering Conference
Down to the bare metal: using processor features for binary analysis
Proceedings of the 28th Annual Computer Security Applications Conference
Lines of malicious code: insights into the malicious software industry
Proceedings of the 28th Annual Computer Security Applications Conference
Boosting scalability in anomaly-based packed executable filtering
Inscrypt'11 Proceedings of the 7th international conference on Information Security and Cryptology
A fine-grained classification approach for the packed malicious code
ICICS'12 Proceedings of the 14th international conference on Information and Communications Security
Information Sciences: an International Journal
Opcode sequences as representation of executables for data-mining-based unknown malware detection
Information Sciences: an International Journal
A static, packer-agnostic filter to detect similar malware samples
DIMVA'12 Proceedings of the 9th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Proceedings of the First International Conference on Security of Internet of Things
SPADE: Signature based PAcker DEtection
Proceedings of the First International Conference on Security of Internet of Things
Obfuscation resilient binary code reuse through trace-oriented programming
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Binary-code obfuscations in prevalent packer tools
ACM Computing Surveys (CSUR)
Towards automatic software lineage inference
SEC'13 Proceedings of the 22nd USENIX conference on Security
| Hi-index | 0.00 |
Modern malware often hide the malicious portion of their program code by making it appear as data at compile-time and transforming it back into executable code at runtime. This obfuscation technique poses obstacles to researchers who want to understand the malicious behavior of new or unknown malware and to practitioners who want to create models of detection and methods of recovery. In this paper we propose a technique for automating the process of extracting the hidden-code bodies of this class of malware. Our approach is based on the observation that sequences of packed or hidden code in a malware instance can be made self-identifying when its runtime execution is checked against its static code model. In deriving our technique, we formally define the unpack-executing behavior that such malware exhibits and devise an algorithm for identifying and extracting its hidden-code. We also provide details of the implementation and evaluation of our extraction technique; the results from our experiments on several thousand malware binaries show our approach can be used to significantly reduce the time required to analyze such malware, and to improve the performance of malware detection tools.