System and method for unpacking packed executables for malware evaluation
First Claim
1. A system for determining whether a packed executable is malware, the system comprising:
- a malware evaluator for determining whether incoming data is malware; and
an unpacking module that receives a packed executable from the malware evaluator and returns an unpacked executable corresponding to the packed executable;
wherein the malware evaluator, upon receiving incoming data, determines whether the incoming data is a packed executable, and if so, provides the packed executable to the unpacking module and receives from the unpacking module an unpacked executable, and determines whether the unpacked executable is malware.
2 Assignments
0 Petitions
Accused Products
Abstract
A system and method for determining whether a packed executable is malware is presented. In operation, a malware evaluator intercepts incoming data directed to a computer. The malware evaluator evaluates the incoming data to determine whether the incoming data is a packed executable. If the incoming data is a packed executable, the malware evaluator passes the packed executable to an unpacking module. The unpacking module includes a set of unpacker modules for unpacking a packed executable of a particular type. The unpacking module selects an unpacker module according to the type of the packed executable, and executes the selected unpacker module. Executing the unpacker module generates an unpacked executable corresponding to the packed executable. The unpacked executable is returned to the malware evaluator where it is evaluated to determine whether the packed executable is malware.
70 Citations
6 Claims
-
1. A system for determining whether a packed executable is malware, the system comprising:
-
a malware evaluator for determining whether incoming data is malware; and
an unpacking module that receives a packed executable from the malware evaluator and returns an unpacked executable corresponding to the packed executable;
wherein the malware evaluator, upon receiving incoming data, determines whether the incoming data is a packed executable, and if so, provides the packed executable to the unpacking module and receives from the unpacking module an unpacked executable, and determines whether the unpacked executable is malware.
-
-
2. A system for unpacking a packed executable for evaluation as malware, the system comprising:
-
a set of unpacker modules, the set of unpacker modules comprising at least one unpacker module and wherein each unpacker module corresponds to executable code for unpacking a particular type of packed executable; and
an unpacking manager, wherein the unpacking manager, upon obtaining a packed executable, selects an unpacker module from the set of unpacker modules to unpack the packed executable according to the type of the packed executable, and executes the selected unpacker module which generates an unpacked executable corresponding to the packed executable. - View Dependent Claims (3)
-
-
4. A method for determining whether incoming data is malware, the method comprising:
-
intercepting incoming data directed to a computing device;
determining whether the incoming data is a packed executable; and
if the incoming data is a packed executable;
generating an unpacked executable, the unpacked executable corresponding to the packed executable; and
determining whether the packed executable is malware by evaluating whether the unpacked executable is malware.
-
-
5. A method for unpacking a packed executable for evaluation as malware, the method comprising:
-
obtaining a packed executable;
selecting an unpacker module from a set of unpacker modules operable to unpack the packed executable; and
executing the selected unpacker module, thereby generating an unpacked executable corresponding to the packed executable.
-
-
6. An extensible unpacking module for unpacking a packed executable for evaluation as malware, the system comprising:
-
an set of unpacker modules comprising at least one unpacker module, wherein each unpacker module corresponds to executable code for unpacking a packed executable of a particular type, wherein the set of unpacker modules is dynamically extensible such that unpacker modules may be selectively added or removed to the set of unpacker modules; and
an unpacking manager, wherein the unpacking manager, upon obtaining a packed executable, selects an unpacker module from the set of unpacker modules to unpack the packed executable according to the type of the packed executable, and executes the selected unpacker module which generates an unpacked executable corresponding to the packed executable.
-
Specification