Packer identification method based on byte sequences

Abstract

With the growing number of malware, malware analysis technologies need to be advanced continuously. Malware authors use various packing techniques to hide their code from malware detection tools and techniques. The packing techniques are generally used to compress and encrypt executable code in executable files, and the unpacking code is usually embedded in the executable files. Therefore, packed executable files can be executed by itself, and the information associated with packing can be used to analyze and detect malware. Since different packing tools will generate different packed executable files, packing tools can be identified by analyzing packed executable files, and packer identification can reduce malware-analyzing overheads, and the executable files can even be unpacked. However, most previous studies focused on packing detection using signatures of unpacking code, and these approaches can be avoided by placing unpacking code in other locations or by distributing unpacking code in multiple locations. In this paper, we propose a new packer identification method by analyzing only code sections to extract features of malware generated by different packing tools. Experimental results show that our approach can identify different packing tools with the accuracy of 91.6% on average. Considering packer identification is the harder problem than packing detection, we argue that our approach can contribute to reducing overheads of malware analysis.