Incremental Clustering of Malware Packers using features based on Transformed CFG
Packer detection is an important topic because most malware is packed and this allows it to avoid detection based on static analysis. Identifying classes of packers is the key to effective detection because it makes it easier to determine from a static analysis whether further analysis is needed or whether a decision is already possible. Thus in this work we propose new features to cluster packers from their unpacking function. This method makes it possible to effectively cluster packers, and is able, by clustering, to identify packer classes used by malware. It is a step towards a larger data clustering allowing to identify custom packers.
“Clamavnet.” https://www.clamav.net/. (Accessed on 12/08/2022).
“horsicq/detect-it-easy: Program for determining types of files for windows, linux and macos..” https://github.com/horsicq/Detect-It-Easy.
“Upx: the ultimate packer for executables - homepage.”https://upx.github.io/. (Accessed on 12/07/2022).
“plusvic/yara: The pattern matching swiss knife.” https://github.com/plusvic/yara.
“wolfram77web/app-peid: Peid detects most common packers, cryptors and compilers for pe files..” https://github.com/wolfram77web/app-peid. (Accessed on 12/07/2022).
F. Biondi, M. A. Enescu, T. Given-Wilson, A. Legay, L. Noureddine, and V. Verma, “Effective, efficient, and robust packing detection and classification,” Computers & Security, vol. 85, pp. 436–451, 2019.
M. Saleh, E. P. Ratazzi, and S. Xu, “A control flow graph-based signature for packer identification,”in MILCOM 2017-2017 IEEE Military Communications Conference (MILCOM), pp. 683–688, IEEE, 2017.
L. Noureddine, A. Heuser, C. Puodzius, and O. Zendra, “Se-pac: A self-evolving packer classifier against rapid packers evolution,” in Proceedings of the Eleventh ACM Conference on Data and Application Security and Privacy, pp. 281–292, 2021.
P. Antoine, G. Bonfante, and J. Marion, “Gorille: Efficient and relevant software comparisons,” ERCIM News, vol. 2016, no. 106, 2016.
M. Vijaymeena and K. Kavitha, “A survey on similarity measures in text mining,” Machine Learning and Applications: An International Journal, vol. 3, no. 2, pp. 19–28, 2016.
M. Ester, H.-P. Kriegel, J. Sander, X. Xu, et al., “A density-based algorithm for discovering clusters in large spatial databases with noise.,” in kdd, vol. 96, pp. 226–231, 1996.
G. Bonfante, J. Fernandez, J.-Y. Marion, B. Rouxel, F. Sabatier, and A. Thierry, “Codisasm: Medium scale concatic disassembly of self-modifying binaries with overlapping instructions,” in Proceedings of the 22nd ACMSIGSAC Conference on Computer and Communications Security, pp. 745–756, 2015.
“Malwarebazaar | malware sample exchange.”https://bazaar.abuse.ch/. (Accessed on 12/07/2022).
“Zeus/zbot unpacking : analyse d’un packer customisé | connect - editions diamond.” https://connect.ed-diamond.com/MISC/misc-051/zeus-zbot-unpacking-analyse-d-un-packer-customise. (Accessed on 12/09/2022).
Copyright (c) 2023 Ludovic Robin
This work is licensed under a Creative Commons Attribution 4.0 International License.
Authors who publish with this journal agree to the following terms:
- Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.