PE-Probe: Leveraging Packer Detection and Structural Information to Detect Malicious Portable Executables

The number of executable malware and the sophistication of their destructive ability has exponentially increased in past couple of years. Malware writers use sophisticated code obfuscation and encryption (a.k.a. packing) techniques to circumvent signatures – derived from the code of the malware for detection – stored in the signatures’ database of commercial off-the-shelf anti-virus software. In fact, it is claimed that more than half of new malware are created by simply re-packing the existing malware. Malware packing can undoubtedly be considered as the most challenging problem faced by anti-virus vendors nowadays. In this paper we present a novel scheme – PE-Probe – which has the ability to detect packed files and uses structural information of portable executables to detect zero-day (i.e. previously unseen) malicious executables. As a result, our proposed scheme is fully robust to code obfuscation and packing techniques. PE-Probe functions in two phases: (1) it classifies a given executable as packed or non-packed by employing well-studied heuristics, and (2) it invokes specialized structural models – separately developed for packed and non-packed executables – for malware detection on the basis of the outcome of the previous step. PE-Probe is real-time deployable as its scanning time is, on the average, less than quarter of a second per executable. We have carefully designed experiments – keeping in view the stringent testing scenarios – to analyze the reliability and robustness of our scheme to packing and obfuscation techniques. We report our experiments on a recently obtained malware dataset from OffensiveComputing.net, which contains more than half a million malicious executables.