Comparing Malware Samples for Unpacking: A Feasibility Study

摘要

When an analyst examines the binary of malware to obtain some useful information for defense and mitigation, she is often required to extract its original binary first. Packing is the reason of this. Usually, malware authors pack (encrypt and/or compress) their malware to hinder code analysis, making it necessary for analysts to spend a great deal of time on unpacking. Towards effective malware analysis, this paper presents an automated original-entry-point detector called OEPdet. If the original entry point (OEP) of malware is found after the malware is executed, an analyst can smoothly begin to examine the original binary starting at the OEP. OEPdet takes as input two malware samples to find part of the original binary shared between those samples. It then detects the OEP based on that shared binary. This is based on the fact that many malware samples are often generated with a variety of source code shared with others at function or snippet granularity. The experiments using some malware samples confirm OEPdet is feasible to detect the OEP.