Standards and policies on packer use

Samir Mody Sophos
Igor Muttik McAfee
Peter Ferrie Microsoft

  download slides (PDF)

Packers, whether third-party or bespoke, are still widely used by malware authors in an attempt to evade detection. Conficker, FakeAV, Bredolab and TDSS are but a few examples of malware which make extensive use of packing technology.

The wide variety of packers used for both legitimate and malicious purposes pose a challenge for the anti-virus industry. The anti-virus community has decided, within the framework of the Malware Working Group within the Industry Connections Working Group, to address the issue of packers with a common voice.

One of the fruits of the collaborative sessions involving representatives from across the anti-virus industry is a document describing various packer properties and standards for their use. This document is meant to provide a yardstick for the formulation of policy on how to treat different packers and a potential set of best practice guidelines for packer vendors.

It is hoped that the guidelines can be used to improve end-user security through the concerted efforts of the anti-virus industry when dealing with packers, and via cooperation and information exchange with packer vendors. Thus, it is expected to facilitate a more robust approach to the generic static flagging of suspicious packed files for the benefit of all (apart from the malware authors, of course).

VB Conferences

VB2016 (Denver)

VB2015 (Prague)

VB2014 (Seattle)

VB2013 (Berlin)

VB2012 (Dallas)

VB2011 (Barcelona)

VB2010 (Vancouver)

VB2009 (Geneva)

VB2008 (Ottawa)

VB2007 (Vienna)

VB2006 (Montréal)

VB2005 (Dublin)

VB2004 (Chicago)

VB2003 (Toronto)

VB2002 (New Orleans)

VB2001 (Prague)

VB2000 (Orlando)

VB99 (Vancouver)

VB98 (Munich)

VB97 (San Francisco)

VB96 (Brighton)

VB95 (Boston)

VB94 (Jersey)

VB93 (Amsterdam)

VB92 (Edinburgh)

VB91 (Jersey)

‘My first visit to the VB conference. Totally impressed by content, organisation, delegates and venue.’

Jobs Career Sidebar