Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ABTV

8/24/2017
03:21 PM
Giovanni Vigna
Giovanni Vigna
News Analysis-Security Now
50%
50%

Unpacking Packed Malware

Executable compression is a common technique for hiding malware. The question is, what can you do to unpack the threat?

Executable compression, a.k.a. "packing,” is a means of compressing an executable file and combining the compressed data with decompression code into a single executable.

Throughout the years, anti-malware vendors have educated their users about polymorphic malware that uses packing applications to repackage itself frequently (ideally every time it gets distributed to a victim) so that anti-malware solutions based on static signatures become useless.

Fundamentally, when packed, an encoded version of the malware is stored in a variable, possibly encoded with a key. At execution time, the program generates the key (if necessary), and then decodes the malware. The malware is then loaded into memory and the unpacker program jumps to the address and executes the malicious payload.

This process can be repeated by extracting additional portions of packed code during the lifetime of a process, sometimes with nested packing (i.e., unpacked code that unpacks more code).

This type of behavior has been very common in malware for a number of years. For this reason, unpacking emulators were introduced by anti-virus vendors. These emulators perform the initial operations required to unpack the actual program code and then perform their static analysis of the unpacked code.

Cyber criminals soon took notice of packing emulators and started introducing anti-emulator mechanisms. These approaches made necessary the use of full-blown sandboxes for the analysis: Only by running the actual program in a realistic environment was it possible to extract the actual behavior of the code. So, in the next step in the neverending battle between good and evil, cyber criminals started introducing anti-sandbox mechanisms into their packers.

The use of increasingly sophisticated anti-analysis techniques in packers suggests a logical question: Why not detect malware by detecting packers? One could decide to simply block executables that appear to be packed, forcing the malware writers to resort to more subtle (and expensive) mechanisms to avoid detection.

Well, the problem is that a substantial portion of benign software is packed as well. We ran an experiment over a dataset of recently observed binaries, and we found that 37% of malware had some form of packing and 6% of benign software uses packing. Note that the packing behavior was observed during execution, and therefore is independent of specific packers or other techniques.

This shows that rejecting a program just because it’s packed is not an effective malware defense strategy.

So what next?
We considered several options for how security teams might be able to use packing behavior to detect malware. Digital signatures
Even though an invalid or missing signature combined with unpacking behavior seems promising given that 97% of our malicious samples shared this characteristic, there are many benign samples (40%) that also have this characteristic. Therefore, using this as the only signal would result in a large amount of false positives.

  Benign Executables Malicious Executables
Valid Digital Signatures 90% 11%
Valid Signature and Unpacking Behavior 60% 3%


How executables are packed
Many packers (usually ad hoc programs) use a number of techniques to prevent reverse engineering. For example, they use multiple levels of packing -- that is, the unpacked executable is actually another packed program -- or they employ sophisticated anti-debugging techniques. Compressing packers and encrypting packers
Compressing packers try to reduce the size of the original program using compression techniques. As a result, the compressed data can still retain some of the statistical properties of the original program. Encrypting packers, instead, perform full encryption of the program, and consequently, the encrypted data tends to be more “random” (more formally, it has a higher entropy).

In all cases, however, one cannot use the information to detect if a packed executable is malicious or not as these techniques also are used by developers of benign applications on a regular basis.

While information about packing is not a suitable approach for effective malware detection, a critical question remains: Is the industry nevertheless using packing as a signal?

A study I helped conduct in 2013 at the University of California in Santa Barbara took almost 8,000 system files from various versions of the Windows operating system and uploaded them to VirusTotal, obtaining an unsurprising “all OK” from all of the anti-malware tools.

Then, we encrypted the same files using four packers (UPX, Upack, NsPack and BEP), resulting in 16,000 verified samples (some of the packed files did not appear to be functional and had to be eliminated from the data set). These samples were then submitted to VirusTotal again, and the results, this time, were surprising: While the samples packed with UPX were not flagged as malicious, 96.7% of the samples packed with the remaining three packers were labeled as malicious by more than ten anti-virus products.

The results clearly show that many anti-virus tools use the identification of packing behavior as a signal for classification as malware, but this was four years ago.


Want to learn more about the tech and business cases for deploying virtualized solutions in the cable network? Join us in Denver on October 18 for Light Reading's Virtualizing the Cable Architecture event – a free breakfast panel at SCTE/ISBE's Cable-Tec Expo featuring speakers from Comcast and Charter.

In order to verify the state of art today, we reproduced, on a smaller scale, the 2013 experiment. We took ten benign samples and we packed them with Obsidium, a commercial packer tool, and then we submitted the samples to VirusTotal.

First of all, an important disclaimer: The engines on VirusTotal are not configured in the most effective way, and therefore, the results must be taken with a grain of salt. For this reason, we do not single out any specific vendor, and instead we show only the aggregate results.

Our findings were that packing is still used as a signal, as many vendors, including top players in the AV industry, identified benign programs as malicious only because they were packed. Of the 64 AV tools used, an average of 25% identified each benign sample as malicious.

  # of AV tools that Analyzed the Sample # of AV tools that Categorized the Sample as Malicious
Benign Sample 1 64 19
Benign Sample 2 64 20
Benign Sample 3 62 6
Benign Sample 4 64 18
Benign Sample 5 64 20
Benign Sample 6 64 19
Benign Sample 7 64 18
Benign Sample 8 64 16
Benign Sample 9 64 16
Benign Sample 10 62 14


The lesson learned is that packers are not a reliable way to determine the nature of an executable. Instead, it is necessary to run the sample, trigger the unpacking, observe how the unpacking is performed, and combine this information with the actual behavior of the program.

Of course, this requires more resource than a simple static analysis, but, nowadays, it’s either that or inundating security teams with false positives.

Related posts:

Dr. Giovanni Vigna has been researching and developing security technology for more than 20 years, working on malware analysis, web security, vulnerability assessment and intrusion detection. He is a professor in the department of computer science and the director of the Center for CyberSecurity at the University of California in Santa Barbara, and is co-founder and CTO at Lastline. You can contact him at [email protected]

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3166
PUBLISHED: 2021-01-18
An issue was discovered on ASUS DSL-N14U-B1 1.1.2.3_805 devices. An attacker can upload arbitrary file content as a firmware update when the filename Settings_DSL-N14U-B1.trx is used. Once this file is loaded, shutdown measures on a wide range of services are triggered as if it were a real update, r...
CVE-2020-29446
PUBLISHED: 2021-01-18
Affected versions of Atlassian Fisheye & Crucible allow remote attackers to browse local files via an Insecure Direct Object References (IDOR) vulnerability in the WEB-INF directory. The affected versions are before version 4.8.5.
CVE-2020-15864
PUBLISHED: 2021-01-17
An issue was discovered in Quali CloudShell 9.3. An XSS vulnerability in the login page allows an attacker to craft a URL, with a constructor.constructor substring in the username field, that executes a payload when the user visits the /Account/Login page.
CVE-2021-3113
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...