Malicious software (or malware) has become a growing threat as malware writers have learned that signature-based detectors can be easily evaded by “packing” the malicious payload in layers of compression or encryption. State-of-the-art malware detectors have adopted both static and dynamic techinques to recover the payload of packed malware, but unfortunately such techniques are highly ineffective. In this paper we propose a new technique, called OmniUnpack, to monitor the execution of a program in real-time and to detect when the program has removed the various layers of packing. OmniUnpack aids malware detection by directly providing to the detector the unpacked malicious payload. Experimental results demonstrate the effectiveness of our approach. OmniUnpack is able to deal with both known and unknown packing algorithms and introduces a low overhead (at most 11% for packed benign programs).

OmniUnpack: Fast, Generic, and Safe Unpacking of Malware / Lorenzo Martignoni, Mihai Christodorescu, Somesh Jha - In: Twenty-Third Annual Computer Security Applications Conference : Miami Beach, Florida, 10–14 December 2007 : proceedingsLos Alamitos : IEEE Computer Society, 2007. - ISBN 0769530605. - pp. 431-441 (( Intervento presentato al 23. convegno Annual Computer Security Applications Conference tenutosi a Miami Beach, USA nel 2007.

OmniUnpack: Fast, Generic, and Safe Unpacking of Malware

Lorenzo Martignoni;
2007

Abstract

Malicious software (or malware) has become a growing threat as malware writers have learned that signature-based detectors can be easily evaded by “packing” the malicious payload in layers of compression or encryption. State-of-the-art malware detectors have adopted both static and dynamic techinques to recover the payload of packed malware, but unfortunately such techniques are highly ineffective. In this paper we propose a new technique, called OmniUnpack, to monitor the execution of a program in real-time and to detect when the program has removed the various layers of packing. OmniUnpack aids malware detection by directly providing to the detector the unpacked malicious payload. Experimental results demonstrate the effectiveness of our approach. OmniUnpack is able to deal with both known and unknown packing algorithms and introduces a low overhead (at most 11% for packed benign programs).
2007
http://www.acsa-admin.org/2007/papers/151.pdf
Book Part (author)
File in questo prodotto:
Non ci sono file associati a questo prodotto.
Pubblicazioni consigliate

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/2434/50277
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 183
  • ???jsp.display-item.citation.isi??? 82
social impact