Logo PTI
Polish Information Processing Society
Logo FedCSIS

Annals of Computer Science and Information Systems, Volume 18

Proceedings of the 2019 Federated Conference on Computer Science and Information Systems

Malicious and Harmless Software in the Domain of System Utilities

DOI: http://dx.doi.org/10.15439/2019F244

Citation: Proceedings of the 2019 Federated Conference on Computer Science and Information Systems, M. Ganzha, L. Maciaszek, M. Paprzycki (eds). ACSIS, Vol. 18, pages 237246 ()

Full text

Abstract. The focus of malware research is often directed on behaviour and features of malicious samples that stand out the most. However, our previous research led us to see that some features typical for malware may occur in harmless software as well. That finding guided us to direct more attention towards harmless samples and more detailed comparisons of malware and harmless software properties. To eliminate variables that may influence the results, we narrowed down our research study to specific software domain - system maintenance and utility tools. We analysed 100 malicious and 100 harmless samples from this domain and statistically evaluated how they differ regarding packing, program sections and their entropies, amount of code outside common sections and we also looked at differences in behaviour from the high-level view.


  1. J. Šťastná and M. Tomášek, “Exploring malware behaviour for improvement of malware signatures,” in IEEE 13th International Scientific Conference on Informatics, 2015, Nov 2015. http://dx.doi.org/10.1109/Informatics.2015.7377846 pp. 275–280.
  2. J. Šťastná and M. Tomášek, “The problem of malware packing and its occurrence in harmless software,” Acta Electrotechnica et Informatica, vol. 16, no. 3, pp. 41–47, 2016. http://dx.doi.org/0.15546/aeei-2016-0022
  3. T.-Y. Wang and C.-H. Wu, “Detection of packed executables using support vector machines,” in International Conference on Machine Learning and Cybernetics (ICMLC), 2011, vol. 2, 2011. http://dx.doi.org/10.1109/ICMLC.2011.6016774. ISSN 2160-133X pp. 717–722.
  4. S. Josse, “Secure and advanced unpacking using computer emulation,” Journal in Computer Virology, vol. 3, no. 3, pp. 221–236, 2007. http://dx.doi.org/10.1007/s11416-007-0046-0
  5. M. Šipoš and S. Šimoňák, “Rasp abstract machine emulator – extending the emustudio platform,” Acta Electrotechnica et Informatica, vol. 17, no. 3, pp. 33–41, 2017. http://dx.doi.org/0.15546/aeei-2017-0024
  6. G. Jacob, P. Comparetti, M. Neugschwandtner, C. Kruegel, and G. Vigna, “A static, packer-agnostic filter to detect similar malware samples,” in Detection of Intrusions and Malware, and Vulnerability Assessment, ser. LNCS, vol. 7591. Springer Berlin Heidelberg, 2013. http://dx.doi.org/10.1007/978-3-642-37300-8_6. ISBN 978-3-642-37299-5 pp. 102–122.
  7. F. Guo, P. Ferrie, and T.-c. Chiueh, “A study of the packer problem and its solutions,” in Recent Advances in Intrusion Detection, ser. LNCS, vol. 5230. Springer Berlin Heidelberg, 2008. http://dx.doi.org/10.1007/978-3-540-87403-4_6. ISBN 978-3-540-87402-7 pp. 98–115.
  8. A. Singh and A. Lakhotia, “Game-theoretic design of an information exchange model for detecting packed malware,” in 6th International Conference on Malicious and Unwanted Software (MALWARE), 2011, 2011. http://dx.doi.org/10.1109/MALWARE.2011.6112319 pp. 1–7.
  9. P. Arntz. Analyzing malware by api calls. [Online]. Available: https://blog.malwarebytes.com/threat-analysis/2017/10/analyzing-malware-by-api-calls/
  10. J. Parsons and D. Oja, New Perspectives on Computer Concepts 2013: Comprehensive, ser. New Perspectives. Cengage Learning, 2012. ISBN 9781133190561
  11. M. Davis, S. Bodmer, and A. LeMasters, Hacking exposed malware and rootkits. New York: Mc-Graw Hill, 2010. ISBN 978-0-07-159119-5
  12. N. Biasini, E. Brumaghin, W. Mercer, and J. Reynolds. Ransom where? malicious cryptocurrency miners takeover, generating millions. [Online]. Available: http://blog.talosintelligence.com/2018/01/malicious-xmr-mining.html
  13. P. Beaucamps, I. Gnaedig, and J.-Y. Marion, “Abstraction-based malware analysis using rewriting and model checking,” in Computer Security - ESORICS 2012, ser. LNCS, vol. 7459. Springer Berlin Heidelberg, 2012. http://dx.doi.org/10.1007/978-3-642-33167-1_46. ISBN 978-3-642-33166-4 pp. 806–823.
  14. H. Macedo and T. Touili, “Mining malware specifications through static reachability analysis,” in Computer Security - ESORICS 2013, ser. LNCS, vol. 8134. Springer Berlin Heidelberg, 2013. http://dx.doi.org/10.1007/978-3-642-40203-6_29. ISBN 978-3-642-40202-9 pp. 517–535.
  15. V. Marak, Windows Malware Analysis Essentials. Packt Publishing, 2015. ISBN 9781785287633
  16. K. Griffin, S. Schneider, X. Hu, and T.-c. Chiueh, “Automatic generation of string signatures for malware detection,” in Recent Advances in Intrusion Detection, ser. LNCS, vol. 5758. Springer Berlin Heidelberg, 2009. http://dx.doi.org/10.1007/978-3-642-04342-0_6. ISBN 978-3-642-04341-3 pp. 101–120.