Inproceedings
Integration of Ether Unpacker into Ragpicker for plugin-based Malware Analysis and Identification
Contribution Summary
Malware analysis is a crucial aspect of cybersecurity, and the ability to identify malware variants and families is essential for early detection and response. Traditional malware detection approaches rely on file signatures, which are often ineffective against new malware code that incorporates rootkit technologies and gets encoded to subvert anti-virus products. This paper presents a new approach to malware analysis by integrating Ether Unpacker into the plugin-based malware analysis tool, Ragpicker. The integration aims to improve the unpacking rate of malware samples, enabling the analysis of transferred and reused code. The authors evaluate their approach against real-world malware patterns, demonstrating its effectiveness in identifying malware variants and families. The results show that the integration of Ether Unpacker into Ragpicker significantly improves the unpacking rate, enabling the analysis of previously unpackable malware samples. This approach has significant implications for malware analysis and detection, and the authors discuss future work and potential applications of this research.
Keywords: Malware Analysis; Ether Unpacker; Ragpicker; Binary Unpacking; Malware Detection; Cybersecurity; Digital Forensics; Malware Reverse Engineering
Abstract
Malware is a pervasive problem in both personal computing devices and distributed computing systems. Identification of malware variants and their families others a great benefit in early detection resulting in a reduction of the analyses time needed. In order to classify malware, most of the current approaches are based on the analysis of the unpacked and unencrypted binaries. However, most of the unpacking solutions in the literature have a low unpacking rate. This results in a low contribution towards the identification of transferred code and re-used code. To develop a new malware analysis solution based on clusters of binary code sections, it is required to focus on increasing of the unpacking rate of malware samples to extend the underlying code database. In this paper, we present a new approach of analysing malware by integrating ETHER Unpacker into the plugin-based malware analysis tool, Ragpicker. We also evaluate our approach against real-world malware patterns.
BibTeX
@inproceedings{schaefer2017etherunpacker,
author={Schaefer, Erik and Le-Khac, Nhien-An and Scanlon, Mark},
title="{Integration of Ether Unpacker into Ragpicker for plugin-based Malware Analysis and Identification}",
booktitle="{Proceedings of the 16th European Conference on Cyber Warfare and Security (ECCWS 2017)}",
year=2017,
month=06,
address={Dublin, Ireland},
publisher={ACPI},
pages="419-425",
abstract="Malware is a pervasive problem in both personal computing devices and distributed computing systems. Identification of malware variants and their families others a great benefit in early detection resulting in a reduction of the analyses time needed. In order to classify malware, most of the current approaches are based on the analysis of the unpacked and unencrypted binaries. However, most of the unpacking solutions in the literature have a low unpacking rate. This results in a low contribution towards the identification of transferred code and re-used code. To develop a new malware analysis solution based on clusters of binary code sections, it is required to focus on increasing of the unpacking rate of malware samples to extend the underlying code database. In this paper, we present a new approach of analysing malware by integrating ETHER Unpacker into the plugin-based malware analysis tool, Ragpicker. We also evaluate our approach against real-world malware patterns."
}