B00ze/Empire wrote:
> Detecting a file as a virus
Virus? Or malware in general?
> because of the packer used is pretty lame ...
Yet it's clear by these and other papers that the AV/AM industry relies
heavily on packer characterization as a primary method of malware
detection.
===============
A Study of the Packer Problem and Its Solutions
Fanglu Guo Peter Ferrie Tzi-cker Chiueh
Symantec Research Laboratories
(circa 2008)
Abstract. An increasing percentage of malware programs distributed in
the wild are packed by packers, which are programs that transform an
input binary's appearance without affecting its execution semantics, to
create new malware variants that can evade signature-based malware
detection tools. This paper reports the results of a comprehensive study
of the extent of the packer problem based on data collected at Symantec
and the effectiveness of existing solutions to this problem. Then the
paper presents a generic unpacking solution called Justin (Just-In-Time
AV scanning), which is designed to detect the end of unpacking of a
packed binary's run and invoke AV scanning against the process image at
that time. For accurate end-to-unpacking detection, Justin incorporates
the following heuristics: Dirty Page Execution, Unpacker Memory
Avoidance, Stack Pointer Check and Command-Line Argument Access.
Empirical testing shows that when compared with SymPack, which contains
a set of manually created unpackers for a collection of selective
packers, Justin's effectiveness is comparable to SymPack for those
binaries packed by these supported packers, and is much better than
SymPack for binaries packed by those that SymPack does not support.
The number of known packers, both good and bad, is also hard to measure
accurately. Symantec has collected a large number of packers - more than
2000 variants in more than 200 families. Among them, Symantec currently
can identify the unpacker code in nearly 1200 packers spread among
approximately 150 families. However, among the 150 packer families
Symantec knows about, it only has the packer code for about 110 of them,
which contain approximately 800 members. This means that Symantec has a
backlog of approximately 1200 members in 90 families, and this number
increases day by day.
Without doubt, UPX [9] remains the most widely used packer. The rest of
the list depends on how ?les are collected, but it always includes the
old favourites like ASPack [1], FSG [2], and UPack [4]. In addition to
those known packers, analysis of the above randomly sampled ?le set
revealed at least 30 previously unknown packers. Some were minor
variations of known packers, but most were custom packers. Amazingly,
some of the clean ?les were packed with these custom packers
http://www.ecsl.cs.sunysb.edu/tr/TR237.pdf
===================
One packer to rule them all:
Empirical identification, comparison and circumvention of current
Antivirus detection techniques
Arne Swinnen
Alaeddine Mesbahi
(circa April 2014 ?)
Abstract
Lately, many popular Antivirus solutions claim to be the most
effective against unknown and obfuscated malware. Most of these
solutions are rather vague about how they supposedly achieve this goal,
making it hard for end-users to evaluate and compare the effectiveness
of the different products on the market. This whitepaper presents
empirically discovered results on the various implementations of these
methods per solution, which reveal that some Antivirus solutions have
more mature methods to detect x86 malware than others, but all of them
are lagging behind when it comes to x64 malware. In general, at most
three stages were identified in the detection process: Static detection,
Code Emulation detection (before execution) and Runtime detection
(during execution). New generic evasion techniques are presented for
each of these stages.
These techniques were implemented by an advanced, dedicated packer,
which is an approach commonly taken by malware developers to evade
detection of their malicious toolset. Two brand new packing methods were
developed for this cause. By combining several evasion techniques,
real-world malicious executables with a high detection rate were
rendered completely undetected to the prying eyes of Antivirus
products.
In order to identify the product-specific detection techniques, an
onion layer evasion approach was taken: first, static detection evasion
was circumvented by implementing our own undetected dedicated packer,
which uses two brand new techniques to evade common packer Antivirus
detection. Its design is presented in Section 2. The packer's special
design allowed detection, comparison and circumvention of the different
detection techniques of Antivirus products. These results are presented
in Section 3.
The following Antivirus products were subject to the presented research:
McAfee Antivirus Plus 2014 Norton Antivirus
Microsoft Security Essentials Kaspersky Antivirus 2014
F-Secure Antivirus 2014 Sophos Endpoint Security 10.3
AVG Antivirus 2014 Avast! Pro Antivirus 2014
ESET NOD32 Antivirus 7 Qihoo 360 Internet Security
BitDefender Antivirus Plus Trend Micro Titanium Antivirus+
Conclusion
During this research, the various detection techniques of current
popular Antivirus solutions were examined (Static-based, Emulation-based
and Runtime-based); New bypass techniques were developed and empirically
verified with regard to their effectiveness.
Two new methods of packing executables were developed, one of which
turned out to be very efficient in evading all current Antivirus
products without the use of emulation, which is the ‘Resource packer'.
A myriad of anti-emulation checks were implemented and tested
demonstrating the capacity to bypass all the existing engines, while
also demonstrating the robustness and efficiency of this protection
measure in detecting new and evolving threats.
Venues on bypassing Runtime-based detection were explored, but still
require further testing to evaluate their effectiveness, which is also
probably more adapted for sandbox-based analysis than for Antivirus
solutions, as these solutions can spend more resources on detection
techniques.
The introduction of cloud based scanning using dedicated analysis
resource, leveraging advanced approach to analyzing malware, like
machine learning and the spring of new products using a sandbox-based
approach, represent a promising advancement to a better detection of
unknown new threats and known evolving ones.
It is however clear that for the moment, a bullet proof Antivirus
solution is still yet to come despite the significant advances that some
of these solutions have made. The very high number of new threats
appearing each day and the ease with which a PE file can be modified
makes a Static-based approach un-adapted and outdated for current
threats. Emulation-based detection techniques are a very powerful
approach, but have to deal with performance and complexity issues in
order to create a completely undetectable environment, and this without
going philosophical and mentioning the Schrödinger cat and how an action
of testing or measure will undoubtedly change it, making it always
detectable.
Some Antiviruses did however came a long way and are undoubtedly an
important layer of protection in the security landscape of any
environment, they are however not sufficient nor will they ever be.
https://www.blackhat.com/docs/us-14/materials/us-14-Mesbahi-One-Packer-To-Rule-
Them-All-WP.pdf
===============================
--- NewsGate v1.0 gamma 2
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)
|