Presentation is loading. Please wait.

Presentation is loading. Please wait.

Samir Mody (Sophos/K7Computing) Igor Muttik (McAfee) Peter Ferrie (Microsoft)

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Samir Mody (Sophos/K7Computing) Igor Muttik (McAfee) Peter Ferrie (Microsoft)"— Presentation transcript:

1 Samir Mody (Sophos/K7Computing) Igor Muttik (McAfee) Peter Ferrie (Microsoft)

2 1. Reduce impact of legitimate packers in malware 2. Improve identification of custom packers

3 Digital signature Packer family Check: Packer prevalence (malware vs clean) License key (alias “taggant” or “watermark”) information Packer properties

4 A lice Packer vendor C arol AV vendor B ob Packer user AV user Victim of malware  D ave Bad boy malware author sell oops

5 What?  Taggant: cryptographically encrypted data based on PKI  Watermark: encoded data permeating a file  Both specify packer family, unique packer license ID, and potentially more Why?  Allows blacklisting abused legitimate packers without the need to unpack

6  AV industry-packer vendor partnership  AV members: AVG, CSIS SecurityGroup A/S, Damballa, ESET, IBM, K7Computing, Marvell Semiconductor, McAfee Inc., Microsoft Corporation, NovaShield, Palo Alto Networks, Panda Security, Sophos Plc, Symantec Corporation, Trend Micro Inc., Veszprog  Packer partners: Enigma, Obsidium, Oreans (Themida), VMPSoft (VMProtect)

7  Sponsored technical infrastructure  Cryptographically secure (PKI)  No need to unpack  Compatible with digital signatures  Sponsored administrative infrastructure  Managed by IEEE  Issuing and maintaining records of credentials  Addressing queries and issues

8 Anti- emulation Anti- debugging Excessive branching Superset of individual packer characteristics Potential overlaps of shared characteristics between properties

9  Combinations of packer properties may be grounds for suspicion  Suspicious packing applications may be grounds for suspicion of the packer  Status of packers depends on:  Properties of the packer  Extent of cooperation of packer vendor  Prevalence of packer in legitimate applications  AV vendor’s client base and individual security policy  AV industry may actively promote well-behaved packers

10  Need more comprehensive and concerted policy to deal with packer problem  Can use digital signatures, taggants, watermarks and packer properties in decision logic on packer status  IEEE ICSG taggant system potential  Need cooperation of packer vendors, free packer authors and the general public

11

12  Difficult to blacklist outright due to high volume  However, in general free packers are not as complex as commercial ones, i.e. most AV solutions are likely to be able to unravel free packer layers to peek inside  Nevertheless, the IEEE ICSG scheme does incorporate a solution to accommodate applying taggants for open source or freely available packers

13  Polymorphic code  Non-standard use of APIs  Unusual structural features  Unnecessary use of unusual instructions  Unnecessary branching into the middle of another instruction  Destruction of target data  Impersonation of another packer  Unusual transfer of execution control

Download ppt "Samir Mody (Sophos/K7Computing) Igor Muttik (McAfee) Peter Ferrie (Microsoft)"

Similar presentations

Introduction to z/OS Security Lesson 4: There’s more to it than RACF

Introduction to z/OS Security Lesson 4: There’s more to it than RACF
2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.

2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
6.1 © 2007 by Prentice Hall 6 Chapter Foundations of Business Intelligence: Databases and Information Management.

6.1 © 2007 by Prentice Hall 6 Chapter Foundations of Business Intelligence: Databases and Information Management.
Persistent Protection Using E-DRM Technology Jason Fasoo 06/18/2008.

Persistent Protection Using E-DRM Technology Jason Fasoo 06/18/2008.
1 Panda GateDefender Performa Your First Line of Defense Product Presentation Name 2008.

1 Panda GateDefender Performa Your First Line of Defense Product Presentation Name 2008.
Technical Review Group (TRG)Agenda 27/04/06 TRG Remit Membership Operation ICT Strategy ICT Roadmap.

Technical Review Group (TRG)Agenda 27/04/06 TRG Remit Membership Operation ICT Strategy ICT Roadmap.
1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential The Internet offers no inherent security services to its users; the data transmitted.

1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential The Internet offers no inherent security services to its users; the data transmitted.
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
CNI Fall 1998 Access Management Requirements and Approaches Joan Gargano California Digital Library

CNI Fall 1998 Access Management Requirements and Approaches Joan Gargano California Digital Library
Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)

Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)
Novel Information Attacks From “Carpet Bombings” to “Smart Bombs”

Novel Information Attacks From “Carpet Bombings” to “Smart Bombs”
Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.

Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.
1 Metric Scheme u Transmittal –basic scheme: collect all necessary metrics from tools send metrics to the database –implementation options: send all metrics.

1 Metric Scheme u Transmittal –basic scheme: collect all necessary metrics from tools send metrics to the database –implementation options: send all metrics.
Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School

Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.

Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
Customized solutions. Keep It Secure Contents  Protection objectives  Endpoint and server software  Protection.

Customized solutions. Keep It Secure Contents  Protection objectives  Endpoint and server software  Protection.
EICAR 2009, 12 May 2009 Checkvir Realtime Anti-Malware Testing and Certification Dr. Ferenc Leitold, Veszprog Ltd.

EICAR 2009, 12 May 2009 Checkvir Realtime Anti-Malware Testing and Certification Dr. Ferenc Leitold, Veszprog Ltd.
KASPERSKY SECURITY FOR STORAGE Product Launch Presentation Global B2B Product Marketing Teams.

KASPERSKY SECURITY FOR STORAGE Product Launch Presentation Global B2B Product Marketing Teams.
Symantec Endpoint Protection Partner References. SEP MR3, the latest iteration of the endpoint protection suite, is tightly tailored for performance of.

Symantec Endpoint Protection Partner References. SEP MR3, the latest iteration of the endpoint protection suite, is tightly tailored for performance of.

Similar presentations

Ads by Google