Detecting Packed Executables Based on Raw Binary Data

Packing an executable originally referred to the compression of the file to reduce its size on disk. Nowadays, packing also introduces encryption and anti-debug techniques to protect executables from reverse engineering. This explains why packers are extensively used in creating new malware variants which are not detected by traditional signature-based anti-malware tools. Although universal unpackers exist for extracting the executable code from packed files, they often rely on methods based on dynamic analysis, thus making them computationally expensive and time consuming. Hence, it is important to detect packed executables beforehand to avoid unnecessary computations so that only protected executables need be sent to the unpacker before further analysis. In this paper, we propose a new technique for fast identification of packed executables by analyzing only the raw binary data. We extract bigram-based features on packed and unpacked executables and use a support vector machine for training and testing. Experimental results reveal that we are able to correctly identify packed executables with a high detection rate in the range of 95%-98% for a variety of packers and crypters.