How Malware Writers Abuse Runtime Packing

Packing technology is really just compression. You know, ZIP, CAB, RAR, and so on. There are many types of packers and some people even write their own. The way a packer compresses the file is called an algorithm. There are many different algorithms and unless you know what one was used, or have a tool to unpack the file you will not be able to use the file. 
A simplistic explanation of packers, or compression (same thing) is that symbols are used to represent repeated patterns.
Take the following sentence:
The monkey does not know he is a monkey, he thinks that you are the monkey.
What if we replace the word “monkey” with “%”?
The % does not know he is a %, he thinks that you are the %.
The sentence has fewer characters, but unless you know our “algorithm” you won’t know what the sentence means. 
How about “The * does not know he is a *, he thinks that you are the *.” Since I have not told you what the “*” replaces you don’t know if now I am talking about cats, pigs, aliens, or what.
If I live in a place where I am not allowed to say the word “Freedom”, this technique allows me to effectively say the word “Freedom” to anyone who understands the algorithm, but the authorities will not see the word if they scan my emails.
A packed file can contain malware and unless your anti-virus product knows how to unpack the file the malware will not be detected. On the bright side, if the malware is packed it cannot infect your computer. That would seem to be the end of the story, except that we have something called run-time packers. Here is how they work. The packed file is an executable (program) that is only partially packed. A tiny bit of the program is not packed. The beginning of the program is not packed so, when you run the packed executable it starts unpacking the rest of the file. The un-packer tool is built right in. 
Runtime packers are used by malware authors because it makes it much harder to detect the malware. One of the strengths of the type of heuristics that ESET, and some other vendors, use is that we create a virtual computer in the scanning engine and run the program. This can force a run-time packed program to unpack itself, saving us the trouble of needing to know the algorithm. 
There’s always a catch though… a crafty programmer can make the program detect it is running in a virtual environment and then the program may not unpack itself or may only unpack harmless parts of itself to fool the virus scanning program.
There is another approach to dealing with the problem. Some companies pretend like they detect malware when they actually simply detect anything that is packed with specific types of packers. This makes them score better on tests that are not well constructed. We have encountered very few packing technologies that are ONLY used for bad software. This means that good software that is packed is detected as infected by those companies who only detect the packer. These are false positives. 
Another approach is to combine recognition of packers with more sensitive behavioral detection as simply being packed with some programs makes the file very, very suspicious. Many of the threats we see are packed with a program called “Themida”. The program itself is often used for copy protecting software, but it was a difficult packer to reverse engineer. The malware writers knew this so they started using the technology extensively. Themida is an example of a runtime packer. 
The key thing about packers is that in addition to making files smaller, they also break traditional signatures, so a heuristic approach is required in order to detect the packed files without creating false positive on legitimate software.

Comments

Popular Posts

Contact Form

Name

Email *

Message *