現今惡意程式大都經過加殼軟體包裝，隨著加殼軟體之加密技術快速發展，病毒的逆向工程也更困難。本研究主要目標在於分類惡意程式所使用的加殼軟體。方法是先偵測輸入檔案是否加殼，再分類輸入之加殼檔案所使用的加殼軟體類別。本研究方法不僅可以分類已知的加殼軟體且可對未知的加殼軟體進行分類，將特徵相似之未知加殼檔案分門別類，以加速病毒分析人員後續的脫殼動作。在偵測加殼軟體部份，本研究使用PE檔案(Portable Executable File)內容檢測加殼機制是否存在，主要是使用資訊熵(Information Entropy)來偵測程式碼是否被加密。在分類加殼軟體部份則使用匯入應用程序介面（Application Programming Interface）及進入點的資訊熵來做為特徵，將這些特徵匯入X-means分叢器及SVM分類器來分類加殼軟體。結果顯示使用PE檔案資訊做為分類加殼檔案的特徵十分有效，並且經過X-means及SVM可以正確的分類檔案所使用的加殼軟體。

In the recent years, most malwares have been packed, and it becomes quite hard for the reverse-engineering of malwares due to the rapid evolution of packing techniques. The goal of the proposed method is to classify the packer types of the packed malwares. For the proposed method, not only the known packers can be classified but the unknown packers can be classified too. To classify the unknown packers is very useful for the virus analyzers to speed up unpacking malwares using unknown packers. For the the detection of packed executables, we use the content of PE table to detect if an executable is packed or not and the encrypted sections of an executable are detected by information entropy. For the classification of packers, we first use the imported application programming interfaces and the information entropy of entry point as the features. Then we use X-means and SVM to classify the packers based on the obtained features. The experiment results show that it is quite useful to identify if an executable is packed or not using the content of PE table as features. Also the combination of X-means and SVM techniques are good for the classification of packers.

[1] Symantec Intelligence Quarterly, April-June 2010,
http://www.myhome.net.tw/cert01/15.htm.
[2] Kaspersky,
http://www.securelist.com/en/analysis/204792120/Information_Security_Threats_in_the_First_Quarter_of_2010.
[3] http://www.norman.com/security_center/security_tools/.
[4] F. Guo, P. Ferrie,and T.-C. Chiueh., “A study of the packer problem and its solutions,” In RAID ’08, pp 98–115, 2008.
[5] MSDN, http://msdn.microsoft.com/library/ms123401.
[6] J. Olivain, J. Goubault-Larrecq, “Detecting Subverted Cryptographic Protocols by Entropy Checking,” research report LSV-06-13, Laboratoire Specification et Verification, June 2006.
[7] Lyda, R., Hamrock, J, “Using Entropy Analysis to Fnd Encrypted and Packed Malware,” IEEE Security and Privacy 5(2), pp. 40–45, 2007.
[8] Yang-seo Choi, Ik-kyun Kim, Jin-tae Oh, Jae-cheol Ryou, “PE File Header Analysis-Based Packed PE File Detection Technique (PHAD),” Computer Science and its Applications, 2008. CSA '08. International Symposium, pp. 28-31, 2008.
[9] Ashkan Sami, Babak Yadegari, Hossein Rahimi, Naser Peiravian,Sattar Hashemi, Ali Hamze, “Malware detection based on mining API calls,” SAC '10 Proceedings of the 2010 ACM Symposium on Applied Computing,pp. 1020-1025,2010.
[10] Shi-Jinn Horng, Yu-Chen Liu, “Packed Executables Detection System Based on Static Analysis,” Master’s thesis, Department of Computer Science, National Taiwan University of Science and Technology.
[11] Yang-seo Choi, Ik-kyun Kim, Jin-tae Oh, Jae-cheol Ryou, “PE File Header Analysis-based Packed PE File Detection Technique (PHAD),” Proc of the International Symposium on Computer Science and its Applications, pp. 28-31 ,2008.
[12] Vijay Laxmi, Manoj Singh Gaur, Parvez Faruki, and Smita Naval, “PEAL—Packed Executable Analysis,” ADCONS 2011, LNCS 7135, pp. 237-243, 2012.
[13] Aos A Z, A W Nazi, Shihab A Hameed, Fazida Othman, B B Zaidan, “Approved Undetectable-Antivirus Steganography,” International Spring Conference on Computer and Information Technology, pp. 437-441, 2009.
[14] X. Ugarte-Pedrero, I. Santos, P. Bringas, M. Gastesi, and J. Esparza, “Semi-supervised Learning for Packed Executable Detection,” In Proceedings of the 5th International Conference on Network and System Security (NSS), pp. 342-346, 2011.
[15] X. Ugarte-Pedrero, I. Santos, B. Sanz, C. Laorden, and P. Bringas, “Countering Entropy Measure Attacks on Packed Software Detection,” Proceedings of the 9th IEEE Consumer Communications and Networking Conference (CCNC2012), 2012.
[16] Tzu-Yen Wang, Chin-Hsiung Wu, Chu-Cheng Hsieh, “Detecting Unknown Malicious Executables Using Portable Executable Headers,” Fifth International Joint Conference on INC, pp. 278-284, 2009.
[17] Kathy J. Liszka, Chien-Chung Chan, Zhong-Hui Duan, “Classification of Malware using Reverse Engineering and Data Mining Technique,” Master’s thesis , The Graduate Faculty of The University of Akron.
[18] Wei, Te-En and Chen, Zhi-Wei and Tien, Chin-Wei and Wu, Jain-Shing and Lee, Hahn-Ming and Jeng, Albert B, “RePEF – A System for Restoring Packed Executable File for Malware Analysis,” ICMLC, pp.519-527, 2011.
[19] Sami, A., Rahimi, H., Yadegari, B., & Hashemi, S., “Malware Detection Based on Mining API Calls,” ACM Symposium on Applied Computing, April, pp. 1020-1025, 2010.
[20] Veeramani R, Nitin Rai, “Windows API based Malware Detection and Framework Analysis,” International Journal of Scientific & Engineering Research, pp. 1-6, 2012.
[21] Altyeb Altaher, Sureswaran Ramadass, Ammar ALmomani, “An intelligent Approach for Malware Detection in Dual Stack IPv4/IPV6 Networks,” International Journal of Physical Sciences, pp. 1607-1612, 2012.
[22] Roberto Perdisci, Andrea Lanzi, Wenke Lee, “Classification of Packed Executables for Accurate Computer virus Detection,” Pattern Recognition Letters 29, pp.1941–1946, 2008.
[23] Daniel Quist, Lorie Liebrock, Joshua Neil, “Improving Antivirus Accuracy with Hypervisor Assisted Analysis,” J Comput Virol, pp.121-131, 2011.
[24] Ebringer, T.,Sun, L.,Boztas, S., “A Fast Randomness Test Thatpreserves Local Detail,” Virus Bulletin, pp. 34-42, 2008.
[25] Li Sun1, Steven Versteeg, Serdar Boztas, and Trevor Yann, “Pattern Recognition Techniques for the Classification of Malware Packers,” ACISP 2010, LNCS 6168, pp. 370-390, 2010.
[26] Gregoire Jacob, Paolo Milani Comparetti, Matthias Neugschwandtner, Christopher Kruegel1, and Giovanni Vigna1, “A Static, Packer-Agnostic Filter to Detect Similar Malware Samples,” Technical Report 2010-26, UC Santa Barbara, 2010.
[27] Olivain Julien, Goubault-Larrecq Jean, “Detecting Subverted Cryptographic Protocols by Entropy Checking,” Research Report, Centre National De La Recherche Scientifique, 2006.
[28] Lyda, R., Hamrock, J., “Using Entropy Analysis to Find Encrypted and Packed Malware,” IEEE Security and Privacy 5, pp. 40-45, 2007.
[29] Fanglu Guo, Peter Ferrie, Tzi-cker Chiueh, “A Study of the Packer Problem and Its Solutions,” RAID 2008, LNCS 5230, pp. 98-115, 2008.
[30] Seungwon Han, Keungi Lee, Sangjin Lee, “Packed PE File Detection for Malware Forensics,” 2nd International Conference on Computer Science and its Applications, CSA, 2009.
[31] Nikos Mavrogiannopoulos, Nessim Kisserli, Bart Preneel, “A Taxonomy of Self-Modifying Code for Obfuscation,” computers &security30, pp. 679-691, 2011.
[32] Sebastian Schrittwieser, Stefan Katzenbeisser, “Code Obfuscation against Static and Dynamic Reverse Engineering,” Lecture Notes in Computer Science, pp.270-284, 2011.
[33] A. Venkatesan, “Code Obfuscation and Metamoprhic Virus Detection,” Master’s thesis, San Jose State University, 2008.
[34] Hui Fang, Yongdong Wu, Shuhong Wang, and Yin Huang, “Multi-stage Binary Code Obfuscation Using Improved Virtual Machine,” LNCS 7001, pp. 168-181, 2011.
[35] Da Lin, Mark Stamp, “Hunting for Undetectable Metamorphic Miruses,” J Comput Virol, pp. 201-214, 2011.
[36] Mohab U. AbdelHameed, Mohamed A. Sobh, Ayman M. Bahaa Eldin, “Portable Executable Automatic Protection using Dynamic Infection and Code Redirection,” Computer Engineering & Systems, pp. 501-507, 2009.
[37] Sungkyu Cho, Donghwi Shin, Heasuk Jo, Donghyun Choi, Dongho Won, and Seungjoo Kim, “Secure and Efficient Code Encryption Scheme Based on Indexed Table,” ETRI Journal, pp. 60-70, 2011.
[38] M. G. Kang, P. Poosankam, and H. Yin. “Renovo: A hidden code extractor for packed executables,” Proceeding of the 5th ACM Workshop on Recurring Malcode, 2007.
[39] D. Pelleg, A. Moore., “X-Means: Extending K-means with Efficient Estimation of the Number of Clusters,” International Conference on Machine Learning, 2000.
[40] G. Schwarz, “Estimating the dimension of a model,” The Annals of Statistics, vol. 6, pp. 461-464, 1978.
[41] V. Vapnik, “Statistical Learning Theory,” Wiley, New York, 1998.
[42] E. Ardizzone, A. Chella, R.Pirrone, “An Architecture for Automatic Gesture Analysis,” Proceedings of the Working Conference on Advanced Visual Interfaces, May, 2000.
[43] VX Heavens, http://vx.netlux.org
[44] 史萊姆, http://www.slime.com.tw
[45] 軟體王, http://www.softking.com.tw
[46] PChome, http://toget.pchome.com.tw