Integration of Ether Unpacker into Ragpicker for plugin-based Malware Analysis and Identification

Schaefer, Erik; Le-Khac, Nhien-An; Scanlon, Mark

Publication Date:  June 2017

Publication Name:  Proceedings of the 16th European Conference on Cyber Warfare and Security (ECCWS 2017)

Abstract:   Malware is a pervasive problem in both personal computing devices and distributed computing systems. Identification of malware variants and their families others a great benefit in early detection resulting in a reduction of the analyses time needed. In order to classify malware, most of the current approaches are based on the analysis of the unpacked and unencrypted binaries. However, most of the unpacking solutions in the literature have a low unpacking rate. This results in a low contribution towards the identification of transferred code and re-used code. To develop a new malware analysis solution based on clusters of binary code sections, it is required to focus on increasing of the unpacking rate of malware samples to extend the underlying code database. In this paper, we present a new approach of analysing malware by integrating ETHER Unpacker into the plugin-based malware analysis tool, Ragpicker. We also evaluate our approach against real-world malware patterns.

Download Paper:

Download Paper as PDF

BibTeX Entry:


      @inproceedings{schaefer2017etherunpacker,
author={Schaefer, Erik and Le-Khac, Nhien-An and Scanlon, Mark},
title="{Integration of Ether Unpacker into Ragpicker for plugin-based Malware Analysis and Identification}",
booktitle="{Proceedings of the 16th European Conference on Cyber Warfare and Security (ECCWS 2017)}",
year="2017",
month="06",
address={Dublin, Ireland},
publisher={ACPI},
pages="419-425",
abstract="Malware is a pervasive problem in both personal computing devices and distributed computing systems. Identification of malware variants and their families others a great benefit in early detection resulting in a reduction of the analyses time needed. In order to classify malware, most of the current approaches are based on the analysis of the unpacked and unencrypted binaries. However, most of the unpacking solutions in the literature have a low unpacking rate. This results in a low contribution towards the identification of transferred code and re-used code. To develop a new malware analysis solution based on clusters of binary code sections, it is required to focus on increasing of the unpacking rate of malware samples to extend the underlying code database. In this paper, we present a new approach of analysing malware by integrating ETHER Unpacker into the plugin-based malware analysis tool, Ragpicker. We also evaluate our approach against real-world malware patterns."
}