Introduction
It is well known that packers are commonly used by malware developers. Do you want to know why?- They help malware hide from antivirus systems.
- A packed software complicates the malware analysis.
- It shrinks the size of malicious program.
- Most packers are free and can be used by anyone.
When a program is packed, the executable is transformed to a new
executable that stores the original one as data. The new executable
contains an unpacking stub that is called by the OS to unpack the
original one. The unpacking stub performs three tasks:
Roughly, it is really similar to when you packed a file into a RAR file.
- To unpack the original executable into memory
- To resolve the imports from the original executable
- To transfer execution to the original entry point (OEP)
Roughly, it is really similar to when you packed a file into a RAR file.
When you are performing a Basic Static Analysis, a packed malware
thwarts your attempts of analyzing it. In a Basic Static Analysis you
need to look at the Strings and the Imports to try to figure out what
the program does. In the picture bellow, you will s
ee the differences between a malware sample packed and the same one which has been unpacked.
ee the differences between a malware sample packed and the same one which has been unpacked.
There is a lot of packers software. These are some of them:
- UPX
- Petite
- PECompact
- WinUpack
- Themida
- ASPack
- ...
Analysing +1000 malware samples
As I said, packers are commonly used by malware developers but... how often are packers being used? For this post, I've analyzed more than 1.000 random malware samples to try to detect how many samples have been packed and what the most common packer is.To achieve this puporse, I have used packerid.py and the Panda signatures which can be downloaded from the link bellow:
There are more signatures to detect packed software but I chose that, because comparing the results with the other ones, Panda signatures have more ratio detection. However, it is your choice to choose whatever you want. In the links bellow, you can find more signatures to perform a packer detection.
http://www.sysreveal.com/tag/userdb-txt/
http://handlers.sans.org/jclausing/userdb.txt
https://github.com/cuckoobox/cuckoo/blob/master/data/peutils/UserDB.TXT
http://handlers.sans.org/jclausing/userdb.txt
https://github.com/cuckoobox/cuckoo/blob/master/data/peutils/UserDB.TXT
I've uploaded a file to Pastebin where you can find the results of the malware analyzed that was obtained by packerid:
Conclusion
After analyzing more than 1000 malware samples, we could think that it is not so usual for malware developers the fact of packing their malicious software. Maybe +1000 samples analyzed aren't enough to obtain a conclusion, maybe the Panda signatures aren't good enough or maybe, the malware developers are changing their techniques to go unnoticed.... I invited you to draw your own conclusions... What is your opinion?In the list below, you can find the accurate data about this research.
- 953 No packer detected
- 38 Microsoft Visual C++
- 35 UPX
- 29 .NET executable
- 17 Microsoft Visual Basic
- 8 BobSoft Mini Delphi
- 4 ASPack
- 2 Wise Installer Stub
- 2 WinRAR
- 2 InstallAnywhere
- 2 PeCompact
- 2 ASProtect
- 1 Themida
- 1 WinZip
Update 03/24/2014
After publishing this post, I've received some e-mails. One of them was from developer of Detect It Easy, a tool to detect packed software. He told me that he is working on another tool named Diesort (alpha version until next month) which will detect much more packed software that I published in my report. So I decided to test it and that is true, Diesort detected 933 unpacked malware instead of 953 results I got with PackerID using Panda signatures.
But the conclusion of my report hasn't changed, most of the malware I've analysed is not packed.
source : http://www.behindthefirewalls.com/2014/03/detecting-packed-malware-in-1000-random.html
No comments:
Post a Comment