Runtime Packers: The Hidden Problem? presented at BlackhatUSA 2006

by Maik Morgenstern, Tom Brosch,

Summary : Runtime packers are a widely-used technique in malware today. Virtually every Win32 malware added to the WildList as well as ad- and spyware is packed with one or another runtime packer. Not only can they turn older malware into new threats again, but they might also prevent AV vendors from using more generic approaches and therefore requiring more work, which possibly generates more errors or broken updates, unless the product is able to handle all the different runtime packers out there.
Yet, there aren't any comprehensive tests of runtime packer capabilities in AV products so far. We use a testset of more than 3000 runtime-packed files (with different packers, versions, compression options) to determine how well-equipped today's AV software is in dealing with these types of threats. In this presentation, we'll not only discuss the aspects of handling and detecting runtime packed malware, but also have a look into other problems that come along. These include false positives, crashes and the very slow scanning speeds seen in way too many products. Lastly, we will give an overview of the current situation, try to specify reasons for the results we got and show what should and could be done in the future.