Survey of Unpacking Malware
Malware is a significant problem in distributed and host-based computing environments. Static detection andclassification of malware serves as a useful mode of defense. To hinder detection and classification, code
packing is used by malware authors to hide and obscure the malware’s real content. This paper surveys the
removal of those malware obfuscations.Keywords: Malware, obfuscation, unpacking.
1. INTRODUCTION1.1 Background
The presence of malicious software is a problem that plagues internet and network connectivity. Malicious software, also known as malware, are programs characterised bytheir malicious intent. They are hostile, intrusive or annoying software programs.Examples of malware include trojan horses, worms, backdoors, dialers and spyware.Malware is a problem that is increasing at a significant rate. According to the SymantecInternet Threat Report, 499,811 new malware samples were received in the secondhalf of 2007. F-
Secure additionally reported, “As much
malware [was] produced in 2007
as in the previous 20 years altogether“
.The modern purpose of malware is that of criminal enterprise for financial gain. In
2008, “78 percent of confidential information threats exported user data”
. The stealingof banking information using malware known as spywareto covertly log and relaysuch private information, is a common example of modern malware.The malware problem continues when malicious software remains undetected byusers.
The creation of criminal networks employing unauthorised use of users’ computers
is an example of a malicious botnet. Botnets are illegally leased to criminal networksin order to create Email spamming networks, and to extort money from commercialentities using the threat of distributed denial of service attacks.
inability to prevent or detect malware often makes them liable to become an additional node in the
botnet’s zombie network.
Detection of malicious software provides much benefit in fighting the threat that
malware poses to users’ security. Detecting malware before it is allowed to execute its
intent allows such software to be effectively disabled. To identify a program as beingmalicious or benign, automated analysis is required. The analysis can employ either astatic or dynamic approach. In the dynamic approach, the malware is executed, possiblyin a sandbox, and its runtime behaviour examined. In the purely static approach, themalware is never executed.Traditional Antivirus solutions to secure systems against malware have focused onstatic detection. Dynamic approaches, while having some benefits compared to staticdetection, also have disadvantages. The dynamic approach requires an executionenvironment in which to run, mandating that a virtual machine or sandbox is available.For cross platform systems, this may be an ineffective environment in which to operate.If a virtual environment is not provided, execution of the malware on the host is required,which may allow malware to execute its intent, before being detected. Additionally, adynamic analysis may fail to identify malicious software if the malicious behaviour is not