Fighting malware and spam

PE-probe: leveraging packer detection and structural information to detect malicious portable executables

M. Zubair Shafiq nexGIN RC
Syeda Momina Tabish nexGIN RC
Muddassar Farooq nexGIN RC

Since the dawn of the new millennium, there has been an exponential increase in the volume and sophistication of executable malware. Malware writers use sophisticated code obfuscation and encryption (aka packing) techniques to circumvent signatures used by commercial off-the-shelf anti-virus software. In fact, it is claimed that more than half of new malware is created by simply re-packing existing malware. Malware packing is undoubtedly the most challenging problem faced by anti-virus vendors nowadays.

In this paper we present a novel scheme, 'PE-Probe', which utilizes morphological (or structural) information of portable executables to detect zero-day (i.e. previously unseen) malicious executables. Our proposed scheme is fully robust to code obfuscation and packing techniques. First, it classifies a given test executable as packed or non-packed based on well-studied heuristics. Based on the previous outcome, the test executable is compared to either of the specialized structural models (for packed/non-packed executables) for malware detection. PE-Probe is real-time deployable as its scanning time is, on average, less than quarter of a second per executable.

Through carefully designed experiments, we verify the reliability and robustness of our proposed scheme in stringent testing scenarios. The analysis presented in this study is done on a data set consisting of more than half a million malicious executable files obtained from OffensiveComputing.org.