Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ABTV

8/24/2017
03:21 PM
Giovanni Vigna
Giovanni Vigna
News Analysis-Security Now
50%
50%

Unpacking Packed Malware

Executable compression is a common technique for hiding malware. The question is, what can you do to unpack the threat?

Executable compression, a.k.a. "packing,” is a means of compressing an executable file and combining the compressed data with decompression code into a single executable.

Throughout the years, anti-malware vendors have educated their users about polymorphic malware that uses packing applications to repackage itself frequently (ideally every time it gets distributed to a victim) so that anti-malware solutions based on static signatures become useless.

Fundamentally, when packed, an encoded version of the malware is stored in a variable, possibly encoded with a key. At execution time, the program generates the key (if necessary), and then decodes the malware. The malware is then loaded into memory and the unpacker program jumps to the address and executes the malicious payload.

This process can be repeated by extracting additional portions of packed code during the lifetime of a process, sometimes with nested packing (i.e., unpacked code that unpacks more code).

This type of behavior has been very common in malware for a number of years. For this reason, unpacking emulators were introduced by anti-virus vendors. These emulators perform the initial operations required to unpack the actual program code and then perform their static analysis of the unpacked code.

Cyber criminals soon took notice of packing emulators and started introducing anti-emulator mechanisms. These approaches made necessary the use of full-blown sandboxes for the analysis: Only by running the actual program in a realistic environment was it possible to extract the actual behavior of the code. So, in the next step in the neverending battle between good and evil, cyber criminals started introducing anti-sandbox mechanisms into their packers.

The use of increasingly sophisticated anti-analysis techniques in packers suggests a logical question: Why not detect malware by detecting packers? One could decide to simply block executables that appear to be packed, forcing the malware writers to resort to more subtle (and expensive) mechanisms to avoid detection.

Well, the problem is that a substantial portion of benign software is packed as well. We ran an experiment over a dataset of recently observed binaries, and we found that 37% of malware had some form of packing and 6% of benign software uses packing. Note that the packing behavior was observed during execution, and therefore is independent of specific packers or other techniques.

This shows that rejecting a program just because it’s packed is not an effective malware defense strategy.

So what next?
We considered several options for how security teams might be able to use packing behavior to detect malware. Digital signatures
Even though an invalid or missing signature combined with unpacking behavior seems promising given that 97% of our malicious samples shared this characteristic, there are many benign samples (40%) that also have this characteristic. Therefore, using this as the only signal would result in a large amount of false positives.

  Benign Executables Malicious Executables
Valid Digital Signatures 90% 11%
Valid Signature and Unpacking Behavior 60% 3%


How executables are packed
Many packers (usually ad hoc programs) use a number of techniques to prevent reverse engineering. For example, they use multiple levels of packing -- that is, the unpacked executable is actually another packed program -- or they employ sophisticated anti-debugging techniques. Compressing packers and encrypting packers
Compressing packers try to reduce the size of the original program using compression techniques. As a result, the compressed data can still retain some of the statistical properties of the original program. Encrypting packers, instead, perform full encryption of the program, and consequently, the encrypted data tends to be more “random” (more formally, it has a higher entropy).

In all cases, however, one cannot use the information to detect if a packed executable is malicious or not as these techniques also are used by developers of benign applications on a regular basis.

While information about packing is not a suitable approach for effective malware detection, a critical question remains: Is the industry nevertheless using packing as a signal?

A study I helped conduct in 2013 at the University of California in Santa Barbara took almost 8,000 system files from various versions of the Windows operating system and uploaded them to VirusTotal, obtaining an unsurprising “all OK” from all of the anti-malware tools.

Then, we encrypted the same files using four packers (UPX, Upack, NsPack and BEP), resulting in 16,000 verified samples (some of the packed files did not appear to be functional and had to be eliminated from the data set). These samples were then submitted to VirusTotal again, and the results, this time, were surprising: While the samples packed with UPX were not flagged as malicious, 96.7% of the samples packed with the remaining three packers were labeled as malicious by more than ten anti-virus products.

The results clearly show that many anti-virus tools use the identification of packing behavior as a signal for classification as malware, but this was four years ago.


Want to learn more about the tech and business cases for deploying virtualized solutions in the cable network? Join us in Denver on October 18 for Light Reading's Virtualizing the Cable Architecture event – a free breakfast panel at SCTE/ISBE's Cable-Tec Expo featuring speakers from Comcast and Charter.

In order to verify the state of art today, we reproduced, on a smaller scale, the 2013 experiment. We took ten benign samples and we packed them with Obsidium, a commercial packer tool, and then we submitted the samples to VirusTotal.

First of all, an important disclaimer: The engines on VirusTotal are not configured in the most effective way, and therefore, the results must be taken with a grain of salt. For this reason, we do not single out any specific vendor, and instead we show only the aggregate results.

Our findings were that packing is still used as a signal, as many vendors, including top players in the AV industry, identified benign programs as malicious only because they were packed. Of the 64 AV tools used, an average of 25% identified each benign sample as malicious.

  # of AV tools that Analyzed the Sample # of AV tools that Categorized the Sample as Malicious
Benign Sample 1 64 19
Benign Sample 2 64 20
Benign Sample 3 62 6
Benign Sample 4 64 18
Benign Sample 5 64 20
Benign Sample 6 64 19
Benign Sample 7 64 18
Benign Sample 8 64 16
Benign Sample 9 64 16
Benign Sample 10 62 14


The lesson learned is that packers are not a reliable way to determine the nature of an executable. Instead, it is necessary to run the sample, trigger the unpacking, observe how the unpacking is performed, and combine this information with the actual behavior of the program.

Of course, this requires more resource than a simple static analysis, but, nowadays, it’s either that or inundating security teams with false positives.

Related posts:

Dr. Giovanni Vigna has been researching and developing security technology for more than 20 years, working on malware analysis, web security, vulnerability assessment and intrusion detection. He is a professor in the department of computer science and the director of the Center for CyberSecurity at the University of California in Santa Barbara, and is co-founder and CTO at Lastline. You can contact him at [email protected]

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9376
PUBLISHED: 2020-07-09
** UNSUPPORTED WHEN ASSIGNED ** D-Link DIR-610 devices allow Information Disclosure via SERVICES=DEVICE.ACCOUNT%0AAUTHORIZED_GROUP=1 to getcfg.php. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2020-9377
PUBLISHED: 2020-07-09
** UNSUPPORTED WHEN ASSIGNED ** D-Link DIR-610 devices allow Remote Command Execution via the cmd parameter to command.php. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2020-5604
PUBLISHED: 2020-07-09
Android App 'Mercari' (Japan version) prior to version 3.52.0 allows arbitrary method execution of a Java object by a remoto attacker via a Man-In-The-Middle attack by using Java Reflection API of JavaScript code on WebView.
CVE-2020-5974
PUBLISHED: 2020-07-08
NVIDIA JetPack SDK, version 4.2 and 4.3, contains a vulnerability in its installation scripts in which permissions are incorrectly set on certain directories, which can lead to escalation of privileges.
CVE-2020-15072
PUBLISHED: 2020-07-08
An issue was discovered in phpList through 3.5.4. An error-based SQL Injection vulnerability exists via the Import Administrators section.