Because many existing antivirus technologies detect malicious programs (“malware”) by detecting or identifying unique digital signatures associated with known-malicious programs, malware authors have attempted to proliferate malware by generating thousands or potentially millions of unique variations of the same malicious program. Often, malware authors create a unique variation of a malicious program by packing (e.g., compressing, encrypting, and/or otherwise obfuscating) the malicious program within a new program (referred to as a “packed program”). When the packed program is executed, additional code within the packed program may unpack (e.g., decompress and/or decrypt) and then execute the obfuscated malicious program.
Unfortunately, this packing process may enable a malicious program to evade detection by existing antivirus technologies since existing antivirus technologies may be unable to identify packed programs within which the malicious program has been obfuscated until security system vendors update their signature databases to include digital signatures for each unique packed program. Accordingly, the instant disclosure identifies a need for additional and improved systems and methods for detecting malicious programs obfuscated within packed programs.