When Malware is Packin’ Heat

Wednesday, January 17, 2018 - 1:30 pm2:00 pm

Giovanni Vigna, Professor, UCSB / CTO, Lastline; Davide Balzarotti, Professor at Eurecom Institute, France


Malware uses packing and other forms of obfuscation in order to foil analysis by anti-virus systems. However, few realize that benign applications use packing and obfuscation as well, in order to protect intellectual property and prevent license abuse.

This talk will discuss how packing works and show, with experimental data, that many leading anti-virus product do not really understand if programs are malicious or not, but only if they are packed or not. This is a by-product of the (incorrect) pervasive use of machine learning and AI in malware detection, and results in substantial false positives that plague the anti-virus community.

The inconvenient truth: unless the AV industry does better than detecting packers we are doomed to live in a world in which good and bad programs are misclassified, causing pain to the users, and eventually resulting in alert fatigue and missed detections.

The authors have recently performed a systematization of the behavior of packers (published in the IEEE Security and Privacy Symposium in 2015) and have now applied this analysis to a large corpus of real-world malware observed across thousands of corporate networks worldwide.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {208119,
author = {Giovanni Vigna and Davide Balzarotti},
title = {When Malware is Packin{\textquoteright} Heat},
booktitle = {Enigma 2018 (Enigma 2018)},
year = {2018},
address = {Santa Clara, CA},
url = {https://www.usenix.org/node/208120},
publisher = {{USENIX} Association},