Departmental Bulletin Paper パッキングされたマルウェアのバイナリーコード解析

光吉, 寛生

Increase in Malware is a serious problem. Mal-ware whose code is obfuscated by the software called packer may have a different binary pattern from normal malware. It requires unpacker, which is corresponding to the packer, to decode and classify it. It is important to detect the existence of packed mal-ware without unpacking it to scan the mail on the server or files on the on-line storage. It is also important to detect the fact that the software is packed with some packer to deeply analyze the suspicious data. In this paper, two techniques for inferring mal-ware and packer are proposed. First approach compares the rate of number of the incidence of the same binary code in difference malwares. Second approach treats a binary code as a vector and calculate the similarity between the pieces of it. Twenty-three specimens, which are generated from eight types of malware with three packers, are analyzed with these techniques. The statistics of analysis of packed malware is compared with the one of non-packed original malware. The result shows that the malware is identifiable under the packed status.

Number of accesses :  

Other information