The detection of operational malware by its tactics of obfuscation

  • Author(s) / Creator(s)
  • While some percentage of new-born malware has always evaded detection by anti-malware services, the quantity of malware able to compromise preventative controls is increasing. Therefore, enterprise security practitioners must confront the reality that malware will infect their organization's computing environment. A problem largely unaddressed by the security community is the detection of such operational malware. One aspect of most current malware is powerful techniques of obfuscation which render a malicious payload inscrutable to detectors. Consequently, obfuscation serves as a major indicator of operational malware. Various aspects of obfuscation are analyzed with the goal of determining its relevance to the detection process. A differential analysis of various attributes of executables as collected from disk and memory instances of running malware serve as a basis for evaluating the detective utility of the form of obfuscation, commonly called 'packing', that is designed to evade preventive mechanisms before the execution phase. It is established that most malware is detectable by the difference in its code sections between disk and memory; that structural attributes of executables can aid in this detection; and that there are auxiliary obfuscation techniques that must be considered. A tool practicable in the enterprise environment is proposed to remediate this chink in the armor of defensive tactics.

  • Date created
  • Subjects / Keywords
  • Type of Item
    Research Material
  • DOI
  • License
    Attribution-NonCommercial 4.0 International