Packer identification based on metadata signature

Abstract

Malware applies lots of obfuscation techniques, which are often automatically generated by the use of packers. This paper presents a packer identification of packed code based on metadata signature, which is a frequency vector of occurrences of classified obfuscation techniques. First, BE-PUM (Binary Emulator for PUshdown Model generation) disassembles and generates the control flow graph of malware in an on-the-fly manner, using concolic testing. Second, obfuscation techniques in the generated control flow graph are detected based on the formal criteria of each obfuscation technique. Last, the used packer is identified with the chisquare test on the metadata signature of a packed code. The precision is evaluated with experiments on 12814 malware from VX heaven and Virusshare, in which 608 examples are detected inconsistent with commercial packer identification at PEiD, CFF Explore, and VirusTotal. We manually confirm that, except for 1 example, BE-PUM is correct. The only case that BE-PUM misunderstands is between MEW and FSG, which are quite similar packers and current BE-PUM extension does not support MEW.