Comparison and benchmarking of automatic malware unpacking techniques

ABSTRACT Analyzing and detection of “malicious software” (malware), such as viruses, worms and botnet clients, whether fully automated or human assisted is a critical step in defending against the threat such malware poses. The challenge will be more when malware writers misuse the novel idea of software packing, to bypass detection from malware analyzers and antivirus software. As a matter of fact, nowadays 80% malware is often transmitted in packed or encrypted form to prevent examination by anti-virus software [1]. To analyze new malware, researchers typically resort to automatic and dynamic code analysis techniques to unpack the code for examination. Unfortunately, these dynamic techniques are susceptible to a variety of anti-monitoring defenses, as well as “time bombs” or “logic bombs,” which can be slow and tedious to identify and disable. This thesis work, compares and benchmark currently existing automatic malware unpacking techniques, and explores new approaches to design automated malware unpackers. It basically starts by assessing research works related to malware analysis and detection, and focus on packed malware analysis techniques. To beat the challenges posed by malware writers a packed malware analyzer should be transparent to the analyzed malware, it should be able to detect different layers of packing and more over able to extract and reconstruct both syntactic and semantic behaviors of the packed malware.