Detection of malware is a constant battle between the technologies designed to detect and prevent malware and the authors creating them. One common technique adversaries leverage is packing binaries. Packing an executable is similar to applying compression or encryption and can inhibit the ability of some technologies to detect the packed malware. High entropy is traditionally a tell-tale sign of the presence of a packer, but many malware analysts may have probably encountered low-entropy packers more than once. Numerous popular tools (e.g., PEiD, Manalyze, Detect It Easy), malware-related courses, and even reference books on the topic, affirm that packed malware often shows a high entropy. As a consequence, many researchers use this heuristic in their analysis routines. It is also well known that the tools typically used to detect packers are based on signature matching and may sometimes combine other heuristics, but again, the results are not completely faithful, as many of the signatures that circulate are prone to false positives.
[Armadillo v1.71]
signature = 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1
ep_only = false This signature can be found in many packer signature databases available online, and is responsible for many false positives (e.g. 7z.exe, a commonly used tool, is flagged as being packed by Armadillo).This imprecision has many consequences on malware related systems and studies:Sample ingestion pipelines often rely on static data, which is not reliable if a sample is packed.
Machine learning based classifiers need to be trained with a solid source of ground truth. Polluted datasets negatively affect the reliability and performance ..
Support the originator by clicking the read the rest link below.
