UTA computer scientist publishes paper demonstrating highly effective method for detecting packed malware

Tuesday, Nov 20, 2018 • Media Contact : Herb Booth

Jiang Ming, an assistant professor in the Computer Science and Engineering Department at The University of Texas at Arlington, co-authored a paper detailing a new, highly effective way to detect malware that has been installed on Windows-based computers using a common obfuscation technique known as binary packing.

The paper, “Towards Paving the Way for Large-Scale Windows Malware Analysis: Generic Binary Unpacking with Orders-of-Magnitude Performance Boost,” was published in the Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS’18). Ming and his co-author, Binlin Cheng of Wuhan University and Hubei Normal University, presented their findings at the conference in October. Other collaborators were Jianming Fu and Guojun Peng of Wuhan University, Ting Chen and Xiaosong Zhang of the University of Electronic Science and Technology of China, and Jean-Yves Marion of L’Université de Lorraine, France.

UTA researcher working to stop malware through hardware changes
Jiang Ming

Malware, malicious code that is inserted into a computer’s operating system through executable software files, is a cyber security risk that can cause issues ranging from minor inconvenience to hijacking of complete corporate computer networks and could lead to millions of dollars in lost time and revenue.

Hackers use obfuscation, or means of camouflaging, to ensure that their malware won’t be detected by anti-virus software. The most common obfuscation is binary packing, where code is placed into a “package” which is then hidden inside a number of other “written-then-executed” layers. Once the code starts running on a victim machine, the malware initiates an unpacking process that breaks down the outer layers until the sinister code is unveiled – which may not be at the deepest layer – and begins to work. Eighty percent of malware samples are packed because it is a very efficient, low-cost approach that is easily purchased on the black market.

Anti-virus software checks against a database of common code that will show the presence of malware, but the big challenge in malware analysis is getting past packed encryption and compression. When security companies collect malware code from the Internet or a victim machine, it’s packed and not the original code, which means it can’t be analyzed to stop the malicious code.

Since malware runtime and executable scan time has a signature, Ming and his team devised a runtime analysis to detect and efficiently identify the point at which the real malicious code is unpacked so the anti-virus software can be deployed against the real code and not code designed to mislead security software.

“There isn’t a perfect unpacking approach, but since much of the malware out there contains known packers, if any code is detected, we can wait for the actual malware to be unpacked, then capture the signature for the payload and add it to our database for use against future packers,” Ming said.

“Our approach can be added to online virus-scanning services and deliver the original malware payload to antivirus providers so they can create more accurate solutions for the future. It’s a simple solution, but the results are impressive.”

In addition to being able to detect the actual malware payload in a jumble of code designed to throw off antivirus software, the new process can be run in less than one second, which is one ~ three orders of magnitude faster than current options. Ming and his team are creating a website where people can upload malware code to be unpacked for free.

This solution to cybersecurity is an example of data-driven discovery, one of four themes of UTA’s Strategic Plan 2020, said Computer Science and Engineering Department Chair Hong Jiang.  

“When dealing with malware, it is very difficult to keep up with people who intend to harm computer systems and software. Dr. Ming’s unpacking solution is an exciting development, not only for its efficiency, but for its speed and how quickly new malware can be identified and added to antivirus software. This could prevent huge financial losses and create greater confidence in security protocols worldwide,” Jiang said.