1 / 13

Standards and Policies on Packer Use

Samir Mody ( Sophos /K7Computing) Igor Muttik (McAfee) Peter Ferrie (Microsoft). Standards and Policies on Packer Use. High-level Purpose. Reduce impact of legitimate packers in malware Improve identification of custom packers. Security Vendor Checklist for Packed Files. Check:.

adie
Download Presentation

Standards and Policies on Packer Use

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SamirMody (Sophos/K7Computing) Igor Muttik (McAfee) Peter Ferrie (Microsoft) Standards and Policies on Packer Use

  2. High-level Purpose • Reduce impact of legitimate packers in malware • Improve identification of custom packers

  3. Security Vendor Checklist for Packed Files Check: Digitalsignature Packer family Packer prevalence (malware vs clean) License key (alias “taggant” or “watermark”) information Packer properties

  4. Learn Your ABCDs Alice Packer vendor Carol AV vendor sell sell • Bob • Packer user • AV user • Victim of malware  Dave Bad boy malware author oops

  5. Taggants and Watermarks What? • Taggant: cryptographically encrypted data based on PKI • Watermark: encoded data permeating a file • Both specify packer family, unique packer license ID, and potentially more Why? • Allows blacklisting abused legitimate packers without the need to unpack

  6. IEEE ICSG Taggant Initiative • AV industry-packer vendor partnership • AV members: AVG , CSIS SecurityGroup A/S, Damballa, ESET, IBM, K7Computing, Marvell Semiconductor, McAfee Inc., Microsoft Corporation, NovaShield, Palo Alto Networks, Panda Security, Sophos Plc, Symantec Corporation, Trend Micro Inc., Veszprog • Packer partners: Enigma,Obsidium, Oreans (Themida), VMPSoft (VMProtect)

  7. IEEE ICSG Taggant System Continued • Sponsored technical infrastructure • Cryptographically secure (PKI) • No need to unpack • Compatible with digital signatures • Sponsored administrative infrastructure • Managed by IEEE • Issuing and maintaining records of credentials • Addressing queries and issues

  8. Packer Properties • Superset of individual packer characteristics • Potential overlaps of shared characteristics between properties

  9. Packers on Trial • Combinations of packer properties may be grounds for suspicion • Suspicious packing applications may be grounds for suspicion of the packer • Status of packers depends on: • Properties of the packer • Extent of cooperation of packer vendor • Prevalence of packer in legitimate applications • AV vendor’s client base and individual security policy • AV industry may actively promote well-behaved packers

  10. Salient Points • Need more comprehensive and concerted policy to deal with packer problem • Can use digital signatures, taggants, watermarks and packer properties in decision logic on packer status • IEEE ICSG taggant system potential • Need cooperation of packer vendors, free packer authors and the general public

  11. Queries

  12. What about Free Packers? • Difficult to blacklist outright due to high volume • However, in general free packers are not as complex as commercial ones, i.e. most AV solutions are likely to be able to unravel free packer layers to peek inside • Nevertheless, the IEEE ICSG scheme does incorporate a solution to accommodate applying taggants for open source or freely available packers

  13. Examples of Packer Properties • Polymorphic code • Non-standard use of APIs • Unusual structural features • Unnecessary use of unusual instructions • Unnecessary branching into the middle of another instruction • Destruction of target data • Impersonation of another packer • Unusual transfer of execution control

More Related