LOGO

PolyUnpack:PolyUnpack:Automating the Hidden-Code Extraction of Automating the Hidden-Code Extraction of Unpack-Executing MalwareUnpack-Executing Malware

Royal, P.; Halpin, M.; Dagon, D.; Edmonds, R.; Wenke Lee;Computer Security Applications Conference, 2006. ACSAC '06.

22nd AnnualDec. 2006 Page(s):289 - 300

Presented by Kiet Vo

PolyUnpack

Summary

“Modern malware often hides the malicious portion of their program code by making it appear as data at compile time and transforming it back into executable code at run time.”

In this paper the authors discuss a technique for automating the process of extracting the hidden- code of this type of malware.

A tool called PolyUnpack, can deobfuscate/decrypt the hidden code for later analysis.

PolyUnpack

Appreciative Comments

The author has convinced well that PolyUnpack can detect more unpack-executing malware when compared with other dissemblers like PEiD and perform hidden code extraction efficiently .

One short coming in evaluating how well PolyUnpack assists malware reverse engineering and analysis is that the experiment was not knowing the inner workings of AV tools to see how well it helps the AV tools. The authors even planned to know the inner workings of several AV company labs but because of trade secrets, this was not possible. So the experiment was carefully planned and well thought.

Critical Comments

The paper does not say how the analysts manually unpack a given malware instance.

No comparisons made with other popular AV tools like Norton Antivirus as more users would get affected.

PolyUnpack

How efficient is the tool?

I like this new feature of detecting multiple unpacking: Some instances of unpack-executing malware complicate the

process of extracting their hidden code by having the unpacked code perform additional unpacking.

Think of it as an executable file, inside another executable file. Which can be inside another executable file.

When executed, the ‘outer’ executable will unpack the contents of the inner executable into memory and execute it.

PolyUnpack used to acquire the innermost body of unpacked code, until the extracted code produces no unpacked code.

• 1. The hidden code is extracted into an executable version.• 2. The new binary is then tested for unpack-execute behaviour.• The first 2 steps are repeated until innermost most of the hidden code is

extracted.

PolyUnpack

How accurate is the tool? PolyUnpack is evaluated using more than 3400 known

malware binaries. PolyUnpack identifies more unpack executing programs

than PEiD ( a popular tool for detecting unpack executing programs). PolyUnpack found 1754 samples to be unpack-executing and

extracted their hidden code. PEiD identified only 1482 samples. Extracting without knowledge of how the runtime code is

generated.

Efficiency: Manual extraction of hidden code takes more time: Manually unpacking a given malware instance takes between 15

and 60 mins. The average time PolyUnpack performs for each malware

instance is less than 20 mins; over 60% took less than 5 mins.

PolyUnpack

Questions With the current increase of new unpack-executing

malware. Do you think PolyUnpack would help other Antivirus software reduce false negative results or detect all unpack-execute malware?