One Packer to Rule Them All: Empirical Identification, Comparison, and Circumvention of Current Antivirus Detection Techniques

Presented at Black Hat USA 2014, Aug. 7, 2014, 9:35 a.m. (25 minutes)

Lately, many popular anti-virus solutions claim to be the most effective against unknown and obfuscated malware. Most of these solutions are rather vague about how they supposedly achieve this goal, making it hard for end-users to evaluate and compare the effectiveness of the different products on the market. This presentation presents empirically discovered results on the various implementations of these methods per solution, which reveal that some anti-virus solutions have more mature methods to detect x86 malware than others, but all of them are lagging behind when it comes to x64 malware. In general, at most three stages were identified in the detection process: Static detection, Code Emulation detection (before execution), and Runtime detection (during execution). New generic evasion techniques are presented for each of these stages. These techniques were implemented by an advanced, dedicated packer, which is an approach commonly taken by malware developers to evade detection of their malicious toolset. Two brand new packing methods were developed for this cause. By combining several evasion techniques, real-world malicious executables with a high detection rate were rendered completely undetected to the prying eyes of anti-virus products.

Presenters:

• Arne Swinnen - NVISO
  Arne Swinnen works as a Security Consultant at NVISO, where he mostly performs penetration testing, source code reviews, and lecturing security related training. Next to Capture-the-Flag challenges he enjoys following the latest security trends and occasionally losing at soccer. Arne holds the Offensive Security Certified Professional (OSCP) and Offensive Security Certified Expert (OSCE) certifications.
• Alaeddine Mesbahi - Verizon
  Alaeddine Mesbahi works as a Security Consultant at Verizon Business specialized in penetration testing and security source code review. He is in his own words a Python addict, self-proclaimed green mint tea expert. He enjoys learning new stuff about InfoSec every day, losing at chess and practicing martial arts. Alaeddine holds the Offensive Security Certified Professional (OSCP) and Offensive Security Certified Expert (OSCE) certifications.

Links:

• https://www.blackhat.com/us-14/archives.html#one-packer-to-rule-them-all-empirical-identification-comparison-and-circumvention-of-current-antivirus-detection-techniques
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2014/video/One Packer to Rule Them All.mp4
• https://www.youtube.com/watch?v=gtLMXxZErWE
• https://www.blackhat.com/docs/us-14/materials/us-14-Mesbahi-One-Packer-To-Rule-Them-All.pdf
• https://www.blackhat.com/docs/us-14/materials/us-14-Mesbahi-One-Packer-To-Rule-Them-All-WP.pdf

Similar Presentations:

• DEF CON 18 (2010) / Open Source Framework for Advanced Intrusion Detection Solutions
• ShmooCon XIII (2017) / Defeating Sandbox Evasion: How to Increase Successful Emulation Rate in Your Virtualized Environment
• DEF CON 14 (2006) / Hacking Malware: Offense Is the New Defense