Browse > Article
http://dx.doi.org/10.3745/KIPSTC.2009.16C.5.555

Packed PE File Detection for Malware Forensics  

Han, Seung-Won (고려대학교 정보경영공학전문대학원)
Lee, Sang-Jin (고려대학교 정보경영공학전문대학원)
Publication Information
The KIPS Transactions:PartC / v.16C, no.5, 2009 , pp. 555-562 More about this Journal
Abstract
In malware accident investigation, the most important thing is detection of malicious code. Signature based anti-virus softwares have been used in most of the accident. Malware can easily avoid signature based detection by using packing or encryption method. Because of this, packed file detection is also important. Detection methods can be divided into signature based detection and entropy based detection. Signature based detection can not detect new packing. And entropy based detection has a problem with false positive. We provides detection method using entropy statistics of entry point section and 'write' properties of essential characteristic of packed file. And then, we show packing detection tool and evaluate its performance.
Keywords
Malware Forensics; PE File Analysis; Entropy; Packing Detection;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Nenad Stojanovski, Marjan Gusev, Danilo Gligoroski, vein.J.Knapskog, “Bypassing Data Execution Preventioni on MicrosoftWindows XP SP2”, Second International Conference on Availability Reliability and Security(ARES '7), 2007.   DOI
2 Mihai Christodorescu, Somesh Jha, Johannes Kinder, “Software transformations to improve malware detection”, Journal in Computer Virology, Springer, pp.253-265, 2007.   DOI
3 Fanglu Guo, Peter Ferrie, Tzi-cker Chiueh, “A Study of the Packer Problem and Its Solutions”, Recent Advances in Intrusion Detection, Springer, pp.98-115, 2008.   DOI   ScienceOn
4 T. Brosch and M. Morgenstern, “Runtime Packers: The Hidden Problem”, Proc. Black Hat USA, Black Hat, 2006; https://www.blackhat.com/presentations/bh-usa-06/BH-U S-06-Morgenstern.pdf
5 Robert Lyda, James Hamrock, “Using entropy analysis to find encrypted and packed malware”, Security & Privacy, IEEE Vol.5, Issue2, pp.40-45, 2007.   DOI   ScienceOn
6 Peid hompage, http://www.peid.info
7 MRC homepage, http://www.mandiant.com/mrc/
8 이호동, Windows 시스템 실행파일의 구조와 원리, 한빛출판사, pp.1-30, 2005.
9 James M. Aquilina, Eoghan Casey, Cameron H. Malin, “Malware Forensics - Investigating and Analyzing Malicious Code”, Syngress, pp.140-151, 2008.
10 Thomas M. Cover and Joy A. Thomas, “Elements of Information Theory”, Second Edition. Wiley Interscience, pp. 1-16, 2006.
11 Yang-seo Choi, Ik-kyun Kim, Jin-tae Oh, Jae-cheol Ryou, “PE File Header Analysis-Based Packed PE File Detection Technique (PHAD),” International Symposium on Computer Science and its Applications, pp.28-31, 2008.   DOI
12 Nwokedi Idika, Aditya P. Mathur, “A Survey of Malware Detection Techniques”, Purdue University, 2007.