Unpacking strategies

Alex Shipp MessageLabs

Technical stream: Thursday 30 Sept 2004, 15.40-16.20.

One recurring theme that malware writers have been using for many years is to use various different PE compression engines to disguise their creations. These engines typically take a Windows PE file and create a smaller file, which uncompresses itself in memory at runtime. Examples of such compression engines are UPX and ASPack, but the total list comprises many hundreds. Packing presents two problems for anti-malware engines. Firstly, to detect known malware, it is unworkable to create signatures for every different packer, and so the file must be unpacked first in order to get to the point where signature matching can occur. Secondly, to detect unknown malware, it is also usually necessary to unpack the file so that strong code analysis heuristics can be applied.

There are various different strategies which can be employed to unpack files to the point at which they can be analysed further. This paper looks at these various strategies, examining the strengths and weaknesses of each.

VB Conferences

VB2010 (Vancouver)

VB2009 (Geneva)

VB2008 (Ottawa)

VB2007 (Vienna)

VB2006 (Montréal)

VB2005 (Dublin)

VB2004 (Chicago)

VB2003 (Toronto)

VB2002 (New Orleans)

VB2001 (Prague)

VB2000 (Orlando)

VB99 (Vancouver)

VB98 (Munich)

VB97 (San Francisco)

VB96 (Brighton)

VB95 (Boston)

VB94 (Jersey)

VB93 (Amsterdam)

VB92 (Edinburgh)

VB91 (Jersey)

‘VB is an excellent conference for networking.’

Poll

Will taking client-side security 'into the cloud' provide better security for the end user?

Leave a comment
View 1 comment

VB2009

VB2009 will take place 23-25 September 2009 at the Crowne Plaza Geneva, Switzerland. A call for papers will be issued in December.

Virus Bulletin currently has 142,681 registered users.

Fighting malware and spam