A heuristic approach for detection of obfuscated malware
作者: Scott Treadwell , Mian Zhou
关键词:
摘要: Obfuscated malware has become popular because of pure benefits brought by obfuscation: low cost and readily availability obfuscation tools accompanied with good result evading signature based anti-virus detection as well prevention reverse engineer from understanding malwares' true nature. Regardless methods, a must deobfuscate its core code back to clear executable machine so that malicious portion will be executed. Thus, analyze the pattern before unpacking provide chance for us prevent further execution. In this paper, we propose heuristic approach targets obfuscated windows binary files being loaded into memory - prior We perform series static check on file's PE structure common traces packer or obfuscation, gauge binary's maliciousness simple risk rating mechanism. As result, newly created process, if flagged possibly screening, prevented This paper explores foundation research, testing methodology current results.
sci-hub.se 参考文章(6)
A.H. Sung, J. Xu, P. Chavez, S. Mukkamala, Static analyzer of vicious executables (SAVE) annual computer security applications conference. pp. 326- 334 ,(2004) , 10.1109/CSAC.2004.37
Peter Szor, The Art of Computer Virus Research and Defense ,(2005)
Qinghua Zhang, Douglas S. Reeves, Peng Ning, S. Purushothaman Iyer, Analyzing network traffic to detect self-decrypting exploit code Proceedings of the 2nd ACM symposium on Information, computer and communications security - ASIACCS '07. pp. 4- 12 ,(2007) , 10.1145/1229285.1229291
Arun Lakhotia, Eric Uday Kumar, M. Venable, A method for detecting obfuscated calls in malicious binaries IEEE Transactions on Software Engineering. ,vol. 31, pp. 955- 968 ,(2005) , 10.1109/TSE.2005.120
Robert Lyda, James Hamrock, Using Entropy Analysis to Find Encrypted and Packed Malware ieee symposium on security and privacy. ,vol. 5, pp. 40- 45 ,(2007) , 10.1109/MSP.2007.48
S.K. Udupa, S.K. Debray, M. Madou, Deobfuscation: reverse engineering obfuscated code working conference on reverse engineering. pp. 45- 54 ,(2005) , 10.1109/WCRE.2005.13