• Home
• Program
• Hospitality Program
• Registration
• Downloads
• Contact

Blacklisting packers

Vitaly Zaytsev, Microsoft, USA

In recent years, the number of malware variants has exploded dramatically. Malware authors demonstrate technical evolution by changing their tactics and shifting from polymorphic engines usage to custom obfuscation tools and commercial software protection systems, known as packers. More and more malware is getting packed, and some with generally lesser known, or previously used, or new types of packers. AV engines utilize different approaches to detect packed malware - static unpacking, emulation, dynamic translation, run-time behavior analysis and so on. But the question whether detection by dynamic code analysis is the only allowed way to detect malicious files is still open.

The blacklisting of packers by different AV products is already a reality. In this paper, I will discuss advantages and disadvantages of this approach, possible criteria's for packers detection, as well as demonstrate intentional undocumented features hidden in two popular commercial packers traditionally hard to unpack and try to answer the following questions:

• Do we really need to unpack, emulate or execute packed malware samples in order to say whether they are malicious or not?
• Is it possible to implement generic malware detection based on hidden features in commercial packers?
• Is there a way the security community can work with software protection companies to develop better ways of validating legitimate applications (and potentially filtering out malicious ones)?