WaveAtlas: surfing through the landscape of current malware packers

Presented at VB2015, Sept. 30, 2015, 4:30 p.m. (30 minutes)

Obfuscation techniques have become increasingly prevalent in malware programs, employed as tools to thwart reverse engineering efforts or to evade signature-based detection by security products. Among the most popular methods, the use of packers - which are programs that transform an executable file's appearance without affecting its semantic execution - is now widely adopted by malware authors. However, despite the rise in the number of malicious programs distributed with packers, we still lack a global picture of their current use. What kind of packers protect malware nowadays? Is there a common model? Previous attempts, based on static database-signature tools, failed to build an accurate picture of the use of packers by malware, their main limitation being that static analysis says nothing about the actual behaviour of the packers and, due to its static nature, misses run-time features.

In this paper, we present WaveAtlas, a novel framework designed to map the code used by packers. Using a dynamic analysis approach, it reconstructs in a nutshell the structure of the code modification tree where the root is the packed code and packer, and the nodes represent snippets of code extracted in successive 'waves'. We report on a large-scale experiment conducted on a representative sample of thousands of pieces of self-modifying malicious code. Our results allowed us to successfully identify common features of malware packers, ranging from their self-modification code usage to exotic choices of machine instructions. In particular, we were able to confirm some commonly held beliefs regarding the use of packers by malware writers. For example, a malicious payload (e.g. code including network callbacks) is typically present in the last or penultimate wave. Furthermore, the number of waves is relatively small and the structure of the trees relatively simple, indicating that malware authors are probably using simpler tools and parameters as a compromise between stealth and efficiency.

Presenters:

• Joan Calvet - ESET
• Jose M. Fernandez - École Polytechnique de Montréal
  Jean-Yves Marion Jean-Yves Marion is professor of computer science at Lorraine University in Nancy on the north-east side of France. His research covers computer viruses. An objective of his research is to develop new tools to analyse malware, to identity functionality inside binary codes, and to classify malware. Recently, he has worked extensively on the disassembling process of self-moidfying x86-codes. He has also a strong interest on computer forensics. He is the head of the high security lab (HSL) and also the head of the computer science department of his university. He is a member of the prestigious Institut Universitaire de France (IUF).
• Jean-Yves Marion - Université de Lorraine
  José M. Fernandez José M. Fernandez is an Associate Professor at the École Polytechnique de Montréal. There, he leads the Laboratoire de Sécurité des Systèmes d'Information (SecSI) where he conducts research on Computer Security.
• François Menet - École Polytechnique de Montréal
  Erwann Traourouder Erwann Traourouder is a software engineer at Capgemini France. He did two years of malware research at the École Polytechnique de Montréal, after receiving his M.Sc. in computer security (2012) at the University of Rennes 1 and his B.Eng. in software engineering (2011) at the Institut National des Sciences Appliquées of Rouen (France).
• Erwann Traourouder - École Polytechnique de Montréal
  Fanny Lalonde Lévesque Fanny Lalonde Lévesque is a Ph.D. student in the Department of Computer & Software Engineering at the École Polytechnique de Montréal. She received her B.Eng. in software engineering (2010) and her Masters of Applied Sciences (2013) from the École Polytechnique de Montréal. Her main research interests lie in security product testing methodologies and in identifying and understanding human and technological risk factors leading to malware infections.
• Fanny Lalonde Lévesque - École Polytechnique de Montréal
  Joan Calvet Joan Calvet is a malware researcher working at ESET, where he is mainly involved in in-depth malware investigations. He defended his Ph.D. thesis in 2013, and has spoken at security conferences such as REcon, Virus Bulletin and DeepSec. @joancalvet

Links:

• https://www.virusbulletin.com/conference/vb2015/abstracts/waveatlas-surfing-through-landscape-current-malware-packers
• https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/Calvet-etal-VB2015.pdf
• https://www.virusbulletin.com/virusbulletin/2016/12/vb2015-paper-waveatlas-surfing-through-landscape-current-malware-packers/

Similar Presentations:

• DEF CON 25 (2017) / Unboxing Android: Everything you wanted to know about Android packers
• ToorCon: Seattle 2008 / Header Injections for Packers and Parasitic Infectors
• Black Hat USA 2016 / PINdemonium: A DBI-Based Generic Unpacker for Windows Executable