PackGenome: Automatically Generating Robust YARA Rules for Accurate Malware Packer Detection

What is it about?

Packed malware samples are pervasive—they conceal arresting code features as unintelligible data to evade detection. This paper looks into the limitations of existing packer detection signatures and presents a novel automatic YARA rule generation technique, called PackGenome.

Featured Image

Photo by Ed Hardie on Unsplash

Photo by Ed Hardie on Unsplash

Why is it important?

After examining publicly-available packer detection ruels, we find that the existing human-written rules are confronted with the following three problems: (i) The cost of manually writing and maintaining rules is becoming unaffordable. (ii) The development of packer rules severely relies on human analysts’ experience. (iii) Packer rules reveal high false positives caused by mismatching with unexpected instructions. In this paper, we aim to mitigate the above problems by proposing PackGenome, an automatic YARA rule generation technique to advance packer detection. PackGenome is inspired by a biological fact that species-specific genes make humans different from chimpanzees. PackGenome creates rules from packer-specific genes, which are the instructions that make the packed programs distinguished from the non-packed programs. Furthermore, we propose the first model to systematically evaluate the mismatch probability of bytes rules. Our large-scale experiments show that PackGenome outperforms existing human-written rules and peer tools with zero false negatives, low false positives, and a negligible scanning overhead increase.