IEEE Software Taggant System presented at BlackhatUSA 2011

by Igor Muttik, Mark Kennedy,


Summary : Packed files are a huge problem in the software security world. Many attackers use packers to create polymorphic code to defeat anti-malware signature systems. The Software Taggant System is designed to address this. In the physical world, a taggant is a physical marker added to explosives at manufacturing so either pre or post explosion the manufacturer can be determined. In the software world the taggant will allow security vendors to determine what packer license key was used to create a given packed file. The taggant is cryptographically secure so it cannot be spoofed. When a malware author creates a malicious file and packs it the taggant is added. This way security vendors can blacklist various license keys while allowing other good files with non-blacklisted keys to run. Any attempt to spoof the system is easily identified and those files blocked. This system is the result of an unprecedented cooperation between the software security vendors and the software packer providers.