Virus Guy  wrote in
news:m319ak$kuh$1@speranza.aioe.org: 

>> because of the packer used is pretty lame ...
> 
> Yet it's clear by these and other papers that the AV/AM industry
> relies heavily on packer characterization as a primary method of
> malware detection.

It can be considered a heuristic activity if the packer isn't known 
to be used for mainstream, but is used for protecting malware. Some 
packers are only developed for that purpose. I have no issue with 
software that locks onto them. 

It's likely the software is protecting your box from an unknown 
malware sample if it sees a packer that's primarily known for malware 
sample protection and isn't used by the majority of legit software 
authors. it'll be rare that you find some oddball packer on a legit 
program these days. Most authors already know the packer isn't going 
to stop somebody who's seriously wanting to reverse engineer your 
proggy.

> were custom packers. Amazingly, some of the clean ?les were packed
> with these custom packers 

See? even in 2008 it was already rare that you'd find a clean file 
(legit file) packed with a custom packer. 
 
> One packer to rule them all: 

No such critter. Originally, packing served another legitimate 
purpose. To try and prevent your software from being reverse 
engineered. Hell, I helped beta test protexcm years ago. Excellent 
program; it would set off many heuristic alarms though. [g]
 
> These techniques were implemented by an advanced, dedicated
> packer, which is an approach commonly taken by malware developers
> to evade detection of their malicious toolset. Two brand new
> packing methods were developed for this cause. By combining
> several evasion techniques, real-world malicious executables with
> a high detection  rate were rendered completely undetected to the
> prying eyes of Antivirus products.  

Ayep.
 
> Two new methods of packing executables were developed, one of
> which turned out to be very efficient in evading all current 
> Antivirus products without the use of emulation, which is the
> ‘Resource packer'. A myriad of anti-emulation checks were 
> implemented and tested demonstrating the capacity to bypass all
> the existing engines, while also demonstrating the robustness and
> efficiency of this protection measure in detecting new and
> evolving threats. 

This isn't a new method. The author is stealing the work from vxers 
and crackers of days long gone by. resource packing isn't HIS work, 
here people.

 
> It is however clear that for the moment, a bullet proof Antivirus
> solution is still yet to come despite the significant advances
> that some of these solutions have made.  

yet to come is false hope. :)



-- 
If you can read this, Thank a teacher.
If you're reading it in english, Thank a soldier!


--- NewsGate v1.0 gamma 2