Browse > Article
http://dx.doi.org/10.13089/JKIISC.2012.22.2.179

A Study on Generic Unpacking using Entropy Variation Analysis  

Lee, Young-Hoon (Graduate School of Information Management and Security, Korea University)
Chung, Man-Hyun (Graduate School of Information Management and Security, Korea University)
Jeong, Hyun-Cheol (Korea Internet & Security Agency)
Shon, Tae-Shik (Division of Information and Computer Engineering, Ajou University)
Moon, Jong-Su (Graduate School of Information Management and Security, Korea University)
Abstract
Packing techniques, one of malicious code detection and analysis avoidance techniques, change code to reduce size and make analysts confused. Therefore, malwares have more time to spread out and it takes longer time to analyze them. Thus, these kind of unpacking techniques have been studied to deal with packed malicious code lately. Packed programs are unpacked during execution. When it is unpacked, the data inside of the packed program are changed. Because of these changes, the entropy value of packed program is changed. After unpacking, there will be no data changes; thus, the entropy value is not changed anymore. Therefore, packed programs could be unpacked finding the unpacking point using this characteristic regardless of packing algorithms. This paper suggests the generic unpacking mechanism using the method estimating the unpacking point through the variation of entropy values.
Keywords
Unpacking; Entropy; malware;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Yang-seo Choi, Ik-kyun Kim, Jin-tae Oh, Jae-cheol Ryou, "PE File Header Analysis- Based Packed PE File Detection Technique (PHAD)," International Symposium on Computer Science and its Applications, pp. 28-31, Oct. 2008.
2 Roberto Perdisci, Andrea Lanzi and Wenke Lee, "Classification of packed executables for accurate computer virus detection", Pattern Recognition Letters" vol. 29, no. 14, pp. 1941-1946, Oct. 2008.   DOI   ScienceOn
3 Robert Lyda and James Hamrock, "Using entropy analysis to find encrypted and packed malware", Security & Privacy IEEE, vol. 5, no. 2, pp. 40-45, Mar. 2007
4 Paul Royal, Mitch Halpin, David Dagon, Robert Edmonds and Wenke Lee, "PolyUnpack: Automating the Hidden- Code Extraction of Unpack-Executing Malware, Computer Security Applications Conference 2006. ACSAC '06. 22nd Annual, pp. 289-300, Dec. 2006
5 Martignoni, L. Christodorecu. M, and Jha, S, "OmniUnpack: Fast, Generic and Safe Unpacking of Malware," Computer Security Applications Conference 2007. ACSAC 2007. Twenty-Third Annual, pp. 431-441, Dec. 2007.
6 Skap. Using dual-mapping to evade auto mated unpacked. http://uninformed.org /?v=10&a=1.
7 Guhyeon Jeong, Euijin Choo, Joosuk Lee, Munkhbayar Bat-Erdene and Heejo Lee, "Generic Unpacking using Entropy Analysis", 2010 5th International Conference on Malicious and Unwanted Software, pp 98-105 . Oct. 2010.
8 Silvio Cesare and Yang Xiang, "Classification of Malware Using Structured control Flow", Proceeding AusPDC '10 Proceedings of the Eighth Australasian Symposium on Parallel and Distributed Computing, vol. 107, pp 61-70, Jan 2010.
9 Thomas M. Cover and Joy A. Thomas, Elements of Information Theory : Second Edition, Wiley Interscience, pp. 1-16, Jul. 2006.
10 한승원, 이상진, "악성코드 포렌식을 위한 패킹 파일 탐지에 관한 연구", 한국정보처리학회논문지, 16-C(5), pp 555-562, 2009년 10월.
11 정구현, 추의진, 이주석, 이희조, "엔트로피를 이용 한 실행 압축 해제 기법 연구", 한국정보기술학회논문지, 7(1), pp.232-238, 2009년 2월.
12 malware, http://www.offensivecomputing.net/?q=taxonomy/term/1
13 OllyDbg, http://www.ollydbg.de/odbg110.zip
14 Min Gyung Kang, Pongsin Poosankam, and Heng Yin. "Renovo: A Hidden Code Extractor for Packed Executables," In Proceedings of the 5th ACM Workshop on Recurring Malcode (WORM"07), pp 46-53. Nov. 2007.
15 AV-Test. http://www.av-test.org