Generic unpacking – how to handle modified or unknown PE compression engines?
Tobias Graf Ewido Networks
Current Agobot collections show that open source crypters like YodaCrypter will become a bigger threat to the anti-virus industry. Static unpacking engines are fooled with added instructions or modified entry points – done in five minutes. One solution is to implement generic unpacking by emulating the underlying compression engine – similarly to polymorphic viruses.
In our paper/presentation we will show the most important problems of emulating a compression engine and how to solve them. First, we describe the emulation progress, the many advantages and the arising problems. Then we will give some impressions about the major problems: speed, error tracing and operating system emulation. Finally, we will give a snapshot of our current generic unpacking engine and show what is reached and what can be reached in the future.
del.icio.us 
digg this
This month's VB100 test saw some major changes and a radical overhaul of the VB100 test methodology - for the first time allowing products to use their 'cloud' look-up systems. John Hawes has all the details.