Events & News
Computer Science Colloquium
| Category | Lecture |
| Date | Tuesday, November 13, 2007 |
| Time | 11:00 am |
| Location | GS 906 |
| Details | Light refreshments served in the 9th floor atrium at 10:45 AM. |
| Speaker | Kevin Coogan |
| Affiliation | Computer Science |
Automatic Static Unpacking of Malware Binaries
Most modern malware is transmitted in packed form, where the actual malware code is compressed or encrypted, to prevent examination by anti-virus software; the packed code is unpacked on the fly and executed when the malware is run. Since the malware payload does not materialize in executable form until runtime, this makes the task of analyzing such code difficult. When confronted with new malware in packed form, therefore, researchers usually resort to dynamic code analysis techniques. However, such dynamic techniques are susceptible to a variety of anti-monitoring defenses, as well as "time bombs" or "logic bombs," whose manual identification and neutralization can be slow and tedious.
This paper discusses an alternative approach that relies on static analysis techniques to deal with packed binaries.We use alias analysis to identify code unpacking and static slicing to find the associated unpacker code; control flow analysis of this unpacker code can then be used to identify dynamic defenses. The unpacker code is then transformed to create a customized unpacker that can be executed or emulated to unpack the malware binary. Experimental results using a prototype implementation indicate that it is effective in unpacking a variety of malware binaries packed using both custom packers as well as commercial packing tools.