Incremental Clustering of Malware Packers using features based on Transformed CFG

  • Ludovic Robin Cyber-Detect
Keywords: botnet, packer, clustering


Packer detection is an important topic because most malware is packed and this allows it to avoid detection based on static analysis. Identifying classes of packers is the key to effective detection because it makes it easier to determine from a static analysis whether further analysis is needed or whether a decision is already possible. Thus in this work we propose new features to cluster packers from their unpacking function. This method makes it possible to effectively cluster packers, and is able, by clustering, to identify packer classes used by malware. It is a step towards a larger data clustering allowing to identify custom packers.


“Clamavnet.” (Accessed on 12/08/2022).

“horsicq/detect-it-easy: Program for determining types of files for windows, linux and macos..”

“Upx: the ultimate packer for executables - homepage.” (Accessed on 12/07/2022).

“plusvic/yara: The pattern matching swiss knife.”

“wolfram77web/app-peid: Peid detects most common packers, cryptors and compilers for pe files..” (Accessed on 12/07/2022).

F. Biondi, M. A. Enescu, T. Given-Wilson, A. Legay, L. Noureddine, and V. Verma, “Effective, efficient, and robust packing detection and classification,” Computers & Security, vol. 85, pp. 436–451, 2019.

M. Saleh, E. P. Ratazzi, and S. Xu, “A control flow graph-based signature for packer identification,”in MILCOM 2017-2017 IEEE Military Communications Conference (MILCOM), pp. 683–688, IEEE, 2017.

L. Noureddine, A. Heuser, C. Puodzius, and O. Zendra, “Se-pac: A self-evolving packer classifier against rapid packers evolution,” in Proceedings of the Eleventh ACM Conference on Data and Application Security and Privacy, pp. 281–292, 2021.


P. Antoine, G. Bonfante, and J. Marion, “Gorille: Efficient and relevant software comparisons,” ERCIM News, vol. 2016, no. 106, 2016.

M. Vijaymeena and K. Kavitha, “A survey on similarity measures in text mining,” Machine Learning and Applications: An International Journal, vol. 3, no. 2, pp. 19–28, 2016.

M. Ester, H.-P. Kriegel, J. Sander, X. Xu, et al., “A density-based algorithm for discovering clusters in large spatial databases with noise.,” in kdd, vol. 96, pp. 226–231, 1996.

G. Bonfante, J. Fernandez, J.-Y. Marion, B. Rouxel, F. Sabatier, and A. Thierry, “Codisasm: Medium scale concatic disassembly of self-modifying binaries with overlapping instructions,” in Proceedings of the 22nd ACMSIGSAC Conference on Computer and Communications Security, pp. 745–756, 2015.

“Malwarebazaar | malware sample exchange.” (Accessed on 12/07/2022).

“Zeus/zbot unpacking : analyse d’un packer customisé | connect - editions diamond.” (Accessed on 12/09/2022).

Additional articles