Unveiling Malware Patterns: A Self-analysis Perspective

TL;DR

This paper introduces VisUnpack, a static analysis framework that visualizes malware patterns, unpacks packed malware, and employs machine learning for accurate classification, significantly improving detection and analysis of malware samples.

Contribution

The paper presents a novel static analysis and visualization framework, VisUnpack, that effectively unpacks, analyzes, and classifies packed malware with high accuracy and efficiency.

Findings

VisUnpack achieves 99.7% malware classification precision.

Most antivirus tools struggle with packed malware detection.

Our method reduces data visualization space by over 97%.

Abstract

The widespread usage of Microsoft Windows has unfortunately led to a surge in malware, posing a serious threat to the security and privacy of millions of users. In response, the research community has mobilized, with numerous efforts dedicated to strengthening defenses against these threats. The primary goal of these techniques is to detect malicious software early, preventing attacks before any damage occurs. However, many of these methods either claim that packing has minimal impact on malware detection or fail to address the reliability of their approaches when applied to packed samples. Consequently, they are not capable of assisting victims in handling packed programs or recovering from the damages caused by untimely malware detection. In light of these challenges, we propose VisUnpack, a static analysis-based data visualization framework for bolstering attack prevention while aiding recovery post-attack by unveiling malware patterns and offering more detailed information including both malware class and family. Our method includes unpacking packed malware programs, calculating local similarity descriptors based on basic blocks, enhancing correlations between descriptors, and refining them by minimizing noises to obtain self-analysis descriptors. Moreover, we employ machine learning to learn the correlations of self-analysis descriptors through architectural learning for final classification. Our comprehensive evaluation of VisUnpack based on a freshly gathered dataset with over 27,106 samples confirms its capability in accurately classifying malware programs with a precision of 99.7%. Additionally, VisUnpack reveals that most antivirus products in VirusTotal can not handle packed samples properly or provide precise malware classification information. We also achieve over 97% space savings compared to existing data visualization based methods.