Fight against the anonymous: a deep look at the custom packer presented at Virus Bulletin 2008

by Xiaodong Tan (Websense),

Tags: Security


Summary : "More and more custom packers are in the wild nowadays. Custom packers are always the favourite of the most prevalent
malware: the sever-side polymorphic worms, online game password stealers and other troublesome stuff. We have seen a lot
of notorious custom packers during recent years: Tibs, Klone, CPEX, etc. But in fact, there are more custom packers
the names of which we don't even know.
Compare to ordinary, publicly released packers, custom packers are usually more mysterious and sophisticated, incorporating
several anti-debug and anti-emulation tricks as well as the ability to change their shape rapidly. Consequently, custom
packers bring much trouble to the anti-virus engine. For example, malicious programs disguised by such packers are more
difficult to be unpacked or detected. Another significant problem is that the custom packers may bring redundant
signatures to the engine if the engine cannot handle such threat smartly enough.
In this paper, I will mainly demonstrate the following two aspects of this topic:1. Technical features about custom packers.
2. How to deal with custom packers, the detection methods and the solution for such threat.