When Malware is Packin’ Heat

Wednesday, January 17, 2018 - 1:30 pm2:00 pm

Giovanni Vigna, Professor, UCSB / CTO, Lastline; Davide Balzarotti, Professor at Eurecom Institute, France

Abstract: 

Malware uses packing and other forms of obfuscation in order to foil analysis by anti-virus systems. However, few realize that benign applications use packing and obfuscation as well, in order to protect intellectual property and prevent license abuse.

This talk will discuss how packing works and show, with experimental data, that many leading anti-virus product do not really understand if programs are malicious or not, but only if they are packed or not. This is a by-product of the (incorrect) pervasive use of machine learning and AI in malware detection, and results in substantial false positives that plague the anti-virus community.

The inconvenient truth: unless the AV industry does better than detecting packers we are doomed to live in a world in which good and bad programs are misclassified, causing pain to the users, and eventually resulting in alert fatigue and missed detections.

The authors have recently performed a systematization of the behavior of packers (published in the IEEE Security and Privacy Symposium in 2015) and have now applied this analysis to a large corpus of real-world malware observed across thousands of corporate networks worldwide.

Giovanni Vigna, UCSB / CTO, Lastline

Giovanni Vigna is a Professor in the Department of Computer Science at the University of California in Santa Barbara and the CTO at Lastline, Inc. His research interests include malware analysis, vulnerability assessment, the underground economy, binary analysis, web security, and mobile phone security. He has been the Program Chair of the International Symposium on Recent Advances in Intrusion Detection (RAID 2003), of the ISOC Symposium on Network and Distributed Systems Security (NDSS 2009), and of the IEEE Symposium on Security and Privacy in 2011. He is known for organizing and running an inter-university Capture The Flag hacking contest, called iCTF, that every year involves dozens of institutions around the world. Giovanni Vigna is also the founder of the Shellphish hacking group, who has participated in more DEF CON CTF competitions than any other group in history.

Davide Balzarotti, Professor at Eurecom Institute, France

Davide Balzarotti is a Professor in the Digital Security Department at Eurecom, in the French Riviera. His research interests cover most aspects of system security and in particular the areas of binary and malware analysis, reverse engineering, computer forensics, and web security. Davide is the program chair of ACSAC 2017, and has been in the past the chair of RAID 2012 and Eurosec 2014. Before joining Eurecom, Davide spent two years at UCSB as a postdoctoral researcher, where he took part in several capture the flag competitions and was also one of the founding members of the Shellphish hacking group.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {208119,
author = {Giovanni Vigna and Davide Balzarotti},
title = {When Malware is {Packin{\textquoteright}} Heat},
booktitle = {Enigma 2018 (Enigma 2018)},
year = {2018},
address = {Santa Clara, CA},
url = {https://www.usenix.org/node/208120},
publisher = {USENIX Association},
month = jan
}
Download
View the slides

Presentation Video