A heuristic approach for detection of obfuscated malware

2009 IEEE International Conference on Intelligence and Security Informatics Pub Date : 2009-06-08 DOI:10.1109/ISI.2009.5137328

Scott Treadwell, Mian Zhou

{"title":"A heuristic approach for detection of obfuscated malware","authors":"Scott Treadwell, Mian Zhou","doi":"10.1109/ISI.2009.5137328","DOIUrl":null,"url":null,"abstract":"Obfuscated malware has become popular because of pure benefits brought by obfuscation: low cost and readily availability of obfuscation tools accompanied with good result of evading signature based anti-virus detection as well as prevention of reverse engineer from understanding malwares' true nature. Regardless obfuscation methods, a malware must deobfuscate its core code back to clear executable machine code so that malicious portion will be executed. Thus, to analyze the obfuscation pattern before unpacking provide a chance for us to prevent malware from further execution. In this paper, we propose a heuristic detection approach that targets obfuscated windows binary files being loaded into memory - prior to execution. We perform a series of static check on binary file's PE structure for common traces of a packer or obfuscation, and gauge a binary's maliciousness with a simple risk rating mechanism. As a result, a newly created process, if flagged as possibly malicious by the static screening, will be prevented from further execution. This paper explores the foundation of this research, as well as the testing methodology and current results.","PeriodicalId":210911,"journal":{"name":"2009 IEEE International Conference on Intelligence and Security Informatics","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2009-06-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"63","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2009 IEEE International Conference on Intelligence and Security Informatics","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ISI.2009.5137328","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 63

Abstract

Obfuscated malware has become popular because of pure benefits brought by obfuscation: low cost and readily availability of obfuscation tools accompanied with good result of evading signature based anti-virus detection as well as prevention of reverse engineer from understanding malwares' true nature. Regardless obfuscation methods, a malware must deobfuscate its core code back to clear executable machine code so that malicious portion will be executed. Thus, to analyze the obfuscation pattern before unpacking provide a chance for us to prevent malware from further execution. In this paper, we propose a heuristic detection approach that targets obfuscated windows binary files being loaded into memory - prior to execution. We perform a series of static check on binary file's PE structure for common traces of a packer or obfuscation, and gauge a binary's maliciousness with a simple risk rating mechanism. As a result, a newly created process, if flagged as possibly malicious by the static screening, will be prevented from further execution. This paper explores the foundation of this research, as well as the testing methodology and current results.

查看原文本刊更多论文

一种检测混淆恶意软件的启发式方法

混淆恶意软件之所以流行，纯粹是因为混淆带来的好处:混淆工具成本低，易于获得，并且可以很好地逃避基于签名的反病毒检测，防止逆向工程了解恶意软件的真实性质。无论使用何种混淆方法，恶意软件都必须将其核心代码去混淆，以清除可执行的机器码，以便执行恶意部分。因此，在解包之前分析混淆模式为我们提供了一个防止恶意软件进一步执行的机会。在本文中，我们提出了一种启发式检测方法，目标是在执行之前加载到内存中的混淆windows二进制文件。我们对二进制文件的PE结构执行一系列静态检查，以查找打包器或混淆的常见痕迹，并使用简单的风险评级机制衡量二进制文件的恶意。因此，新创建的进程，如果被静态筛选标记为可能是恶意的，将被阻止进一步执行。本文探讨了本研究的基础、测试方法和目前的研究结果。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2009 IEEE International Conference on Intelligence and Security Informatics

自引率

0.00%

发文量