Pack-A-Mal: A Malware Analysis Framework for Open-Source Packages

TL;DR

This paper introduces Pack-A-Mal, a dynamic analysis framework for open-source packages that improves malware detection by capturing runtime behaviors within container sandboxes, addressing static analysis limitations.

Contribution

It enhances a dynamic analysis tool with runtime behavior capture and container sandboxing, improving malware detection in open-source packages.

Findings

Enhanced malware detection accuracy

Reduced false positives in analysis

Effective sandboxing of malicious packages

Abstract

The increasingly sophisticated environment in which attackers operate makes software security an even greater challenge in open-source projects, where malicious packages are prevalent. Static analysis tools, such as Malcontent, are highly useful but are often incapable of dealing with obfuscated malware. Such situations lead to an unreasonably high rate of false positives. This paper highlights that dynamic analysis, rather than static analysis, provides greater insight but is also more resource-intensive for understanding software behaviour during execution. In this study, we enhance a dynamic analysis tool, package-analysis, to capture key runtime behaviours, including commands executed, files accessed, and network communications. This modification enables the use of container sandboxing technologies, such as gVisor, to analyse potentially malicious packages without significantly compromising the host system.