Sie sind auf Seite 1von 15

Exepacker The good, the bad and the ugly ones

Robert Neumann Virusbuster Ltd.

What are exepackers?

Applications meant to compress and/or encrypt other applications and still keep them in a runnable state on the given operating system

Where are they coming from?

C64 "crunchers" (SledgeHammer, FastCruel, ABCruncher) Amiga / Atari ST (Crunch Mania, StoneCracker, Pack Ice) DOS era (Hackstop, Exepack, DIET, WWPack, Scram) and every age had its own more or less automatic unpacking solutions (just think of unp.exe and cup386.com)

Our interaction with them today


Windows based packers (PE-Crypt, PElockNT, FSG, UPX, ASPack, Armadillo, Themida, VMProtect) Famous 3rd party applications (IrfanView, BSplayer, utorrent) Heaps of malware Commercial copy protections Other non-welcome applications such as cracks and keygens

The exepacker collection


Installers 7% Protectors 23% Cryptors 41%

Compressors 29%

Different packer types

119 different cryptors, 264 versions in total 87 different compressors, 453 versions in total 70 different protectors, 431 versions in total 22 different installers, 226 versions in total

From white to black

Pure whites (ASProtect, Armadillo, Themida, Execryptor, Enigma, VMProtect) Questionable greys (Upack, ASPack, PECompact, FSG, PeX) Black as the night view from Moon (almost *crypter)

Structure, capabilities, internals


Compression and/or encryption Import/export table protection Anti-debugger / Anti-virtual machine tricks Code replacement Own custom VMs (the ring0 -> ring 3 change) Sometimes using obscure programming languages (VB p-code) Destroying the myth - sophisticated protections won't slow down or damage your computer (the story of StarForce, Sonys rootkit)

Identification and processing


Common packer characteristics (section names, entry point, entropy, overall visual appearance) Sequence based detection tools (PEiD, RDG Packer Detector, Protection ID) Anti virus scanner logs Processing methods (native support, emulation based, hybrid systems, manual approach)

The AV standpoint
6-8GB of new samples with a unique MD5 world wide every day What can we do against them (blacklisting, emulating) License based blacklisting (not beating the technology, IEEE project) Anti VM tricks The issue of false positives (free app -> free packer -> possibility of fp) Custom malware packers -> we have no access to them, harder to analyze Not necessary to restore a fully working executable, but a studiable one

Packer detection toplist custom vs specific


Trojan.DL.Swizzor.Gen!Pac.4 Trojan.DL.Swizzor.Gen!Pac.5 Trojan.Tibs.Gen!Pac.132 Trojan.Lineage.Gen!Pac.3 Adware.Vundo.Gen!Pac.18 Adware.Vundo.Gen!Pac.21 Trojan.Vundo.Gen!Pac.25 Trojan.Vundo.Gen!Pac.31 Trojan.DL.Swizzor.Gen!Pac.3 Trojan.FakeAlert.Gen!Pac.2 223871 197828 96335 84864 83492 77281 68383 65159 55766 53270 Packed/Upack Packed/NSPack Packed/FSG Packed/UPC Packed/MEW Packed/eXPressor Packed/NSPM Packed/PolyCrypt Packed/Themida Packed/NakedPack 460739 165125 126669 84572 32099 23301 20538 20236 20031 17604

Questioning their sole purpose


They arent always needed nor welcome The urgency for more and better protections - we cannot get rid of these The 3rd party issue - we can get rid of them if we decide to They are going to stay on malware for a long time Portable applications on flash drives (VMware ThinApp a.k.a. Thinstall)

Looking into the future

Whites are going to stay just white, improving on the compression Even more custom malware ones, yet more tricks to avoid detection / analysis Protections might combine best of both worlds -> VMs + hardware keys

Questions?

Email: rneumann@virusbuster.hu

Demos

PECompact quick unpack Vundos anti VM tricks