Detecting Traditional Packers, Decisively
نویسندگان
چکیده
Many important decidability results in malware analysis are based on Turing machine models of computation. We exhibit computational models that use more realistic assumptions about machine and attacker resources. While seminal results such as [1–5] remain true for Turing machines, we show that under more realistic assumptions important tasks are decidable instead of undecidable. Specifically, we show that detecting traditional malware unpacking behavior – in which a payload is decompressed or decrypted and subsequently executed – is decidable under our assumptions. We then examine the issue of dealing with complex but decidable problems, and look for lessons from the hardware verification community, which has been striving to meet the challenge of intractable problems for the past three decades.
منابع مشابه
Detecting Packed Executables Based on Raw Binary Data
Packing an executable originally referred to the compression of the file to reduce its size on disk. Nowadays, packing also introduces encryption and anti-debug techniques to protect executables from reverse engineering. This explains why packers are extensively used in creating new malware variants which are not detected by traditional signature-based anti-malware tools. Although universal unp...
متن کاملThings You May Not Know About Android (Un)Packers: A Systematic Study based on Whole-System Emulation
The prevalent usage of runtime packers has complicated Android malware analysis, as both legitimate and malicious apps are leveraging packing mechanisms to protect themselves against reverse engineer. Although recent efforts have been made to analyze particular packing techniques, little has been done to study the unique characteristics of Android packers. In this paper, we report the first sys...
متن کاملChurning Out the Links: Vertical Integration in the Beef and Pork Industries
19 For the livestock and meat industry, the 1990s were a period of marked vertical integration. By the end of the decade, the use of production contracts, marketing agreements, and other ownership linkages between beef and pork producers and meat packers had provoked such controversy that Congress began to consider legislation to abolish many types of market linkages. We analyze the transition ...
متن کاملAsymptomatic body packers should be treated conservatively.
INTRODUCTION Body packing takes advantage of the human storage capacity within the alimentary tract. Body packing is used for the smuggling of drugs such as heroin, cocaine, amphetamine, hashish and ecstasy. Most body packers are asymptomatic. However, packets may rupture or obstruct the alimentary tract. Preventive surgery has been recommended for body packers with package retention beyond 5-7...
متن کاملAppSpear: Bytecode Decrypting and DEX Reassembling for Packed Android Malware
As the techniques for Androidmalware detection are progressing, malware also fights back through deploying advanced code encryption with the help of Android packers. An effective Android malware detection therefore must take the unpacking issue into consideration to prove the accuracy. Unfortunately, this issue is not easily addressed. Android packers often adopt multiple complex anti-analysis ...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2013