PolyPack: An automated online packing service for optimal antivirus evasion

Jon Oberheide, Michael Bailey, Farnam Jahanian

Research output: Contribution to conferencePaper

Abstract

Packers have long been a valuable tool in the toolbox of offensive users for evading the detection capabilities of signature-based antivirus engines. However, selecting the packer that results in the most effective evasion of antivirus engines may not be a trivial task due to diversity in the capabilities of both antivirus and packers. In this paper, we propose the creation of an online automated service, called PolyPack, that uses an array of packers and antivirus engines as a feedback mechanism to select the packer that will result in the optimal evasion of the antivirus engines. Towards understanding the utility and efficacy of such a service, we construct an implementation of PolyPack which employs 10 packers and 10 popular antivirus engines. We show that PolyPack provides 258% more effective evasion of antivirus engines than using an average packer and out-evades the best evaluated packer (Themida) for over 40% of the binary samples.

Original languageEnglish (US)
StatePublished - 2009
Event3rd USENIX Workshop on Offensive Technologies, WOOT 2009 - Montreal, Canada
Duration: Aug 10 2009 → …

Conference

Conference3rd USENIX Workshop on Offensive Technologies, WOOT 2009
CountryCanada
CityMontreal
Period8/10/09 → …

ASJC Scopus subject areas

  • Hardware and Architecture
  • Information Systems
  • Software
  • Computer Networks and Communications

Fingerprint Dive into the research topics of 'PolyPack: An automated online packing service for optimal antivirus evasion'. Together they form a unique fingerprint.

  • Cite this

    Oberheide, J., Bailey, M., & Jahanian, F. (2009). PolyPack: An automated online packing service for optimal antivirus evasion. Paper presented at 3rd USENIX Workshop on Offensive Technologies, WOOT 2009, Montreal, Canada.