Evading Packing Detection:Breaking Heuristic-Based Static Detectors (Extended Abstract)

D'Hondt, Alexandre [UCL] Bertrand Van Ouytsel, Charles-Henry [UCL] Legay, Axel [UCL]

Nowadays, executable packing remains an open issue in its detection especially when it comes to static analysis. Packing is significantly used in malware to hide malicious code from detection systems. These last years, many studies about static packing detection addressed this problem with heuristics and machine learning, considering different ad hoc techniques, algorithms and feature sets but very few addressed it from the adversarial point of view, that is, how to fool heuristics by altering samples with targeted modifications. The objective of this work is to study to what extent it is easy to evade detection by open source static detectors that are commonly used by the community by applying alterations on packed samples, which require only slight adaptations of the related packers, resulting in evasion. An adversarial setting from the problem-space perspective is addressed by using realistic modifications of binary samples that target common significant features. For this purpose, alterations and datasets are composed and static detection is applied using the experimental toolkit Packing Box. Results of alterations are shown, in terms of information gain of features and accuracy of detection, on open source static packing detectors. Finally, their significant effects are highlighted and their effectiveness is evaluated.