چكيده به لاتين
Abstract:
Malware is the most important security threat in cyberspace. Some statistics show that over 400,000 malware are released, every day. The majority of malware that appears today are packed in order to avoid easy detection. Therefore, they need to be unpacked before any analysis can begin. There are two methods for malware unpacking: static and dynamic. Dynamic unpacking is shown to be dangerous and time-consuming indeed. So, it is proposed to employ static unpacking methods to this aim. In order to statically unpack a given packed malware, it is necessary to identify the encryption algorithm used while packing process.
A large number of dynamic unpacking tools has been provided so far. The most important drawback with dynamic unpacking of malware is that it allows the malware to be executed on the system. Static unpacking methods have been proposed in order to deal with this problem. However, it has some limitations. The applicability of static unpacking in signature-based methods is limited due to its inability on identification of the type of compression and the encryption algorithm. So, signature-based static malware unpacking is just usable when the signature of the packer is available and it can not be used to unpack the customized or unknown packers.
In this thesis a framework for identifying compresson or encryptoing algorithms in packed malware is proposed that employs feature extraction and data-mining techniques. Therefore, it can be used to identify the algorithms used in packed malware without having in hand the signature of packers and protectors. The proposed framework is also able to detect Microsoft CryptoAPI function calls for encryption/decryption.
Keywords: Static Analysis, Static Unpacking, Malware, Packer, Encryption
