All-in-One Framework for Detection, Unpacking, and Verification for Malware Analysis

الملخص EN

Packing is the most common analysis avoidance technique for hiding malware.

Also, packing can make it harder for the security researcher to identify the behaviour of malware and increase the analysis time.

In order to analyze the packed malware, we need to perform unpacking first to release the packing.

In this paper, we focus on unpacking and its related technologies to analyze the packed malware.

Through extensive analysis on previous unpacking studies, we pay attention to four important drawbacks: no phase integration, no detection combination, no real-restoration, and no unpacking verification.

To resolve these four drawbacks, in this paper, we present an all-in-one structure of the unpacking system that performs packing detection, unpacking (i.e., restoration), and verification phases in an integrated framework.

For this, we first greatly increase the packing detection accuracy in the detection phase by combining four existing and new packing detection techniques.

We then improve the unpacking phase by using the state-of-the-art static and dynamic unpacking techniques.

We also present a verification algorithm evaluating the accuracy of unpacking results.

Experimental results show that the proposed all-in-one unpacking system performs all of the three phases well in an integrated framework.

In particular, the proposed hybrid detection method is superior to the existing methods, and the system performs unpacking very well up to 100% of restoration accuracy for most of the files except for a few packers.