Research offers software salvation from AV friendly-fire

Powered by SC Magazine
 

Yet it is too underdeveloped to replace existing malware analysis.

In the war on malware, legitimate software can be caught in the crossfire. But a Melbourne researcher is developing a method that could reduce the incidents of anti-virus false-positives.

Silvio Cesare has developed a method, Automated Static Unpacking Using Speculative Decompression, which serves as an alternative means to unwrap the obfuscation tricks coders use to hide malware.

Before malware could be identified, anti-virus vendors must detect and unravel so-called packing techniques used to conceal malicious code.

But malware writers lace packing with countermeasures that prevent anti-virus from running the packed malware in emulated sandboxes, a process used by most systems.

Cesare said anti-virus systems unable to bypass the counter-measures would mark all unknown packed code as malicious, meaning legitimate software could be purged.

"Sometimes legitimate commercial software is packed which means without analysis of the hidden code anti-virus would incorrectly label it as malicious,” Cesare wrote.

“Unpacking code can be a challenging problem and non-traditional packing techniques such as instruction virtualisation are quickly becoming more and more used by malware authors.”

Cesare's method was an alternative that jettisoned the need to unpack malware in emulated environments.

 

 

Static unpacking aimed to identify malware in its packed state by utilising packing algorithms, which eliminated the need to unpack malware in a virtual or sandbox environment.

It was invulnerable to anti-emulation countermeasures.

“Our system can easily unpack these types of malware.”

The system could determine the type of packing used on a given malware sample with entropy analysis and packer classification.

While the Melbourne security researcher had dropped further development of the system, he may build it into a new online analysis tool.

Cesare said the free tool would compare malware samples to reveal the heritage of code, and determine if it was plagiarised or borrowed.

“This can allow you to detect malware variants, or to detect if a sample belongs to a known
malware author's work,” he said.

The malware binaries would be unpacked using the Reboot emulator Cesare created during his Masters degree at the Central Queensland University in 2008.

Cesare said static unpacking system was promising but too underdeveloped to best existing methods.

“It seems that the only safe solution for anti-virus is to perform packer detection and flag all such occurrences as potential malware. For legitimate software, white listing and co-ordination with anti-virus vendors may be the only secure way forward.”

Copyright © SC Magazine, Australia


Research offers software salvation from AV friendly-fire
 
 
 
Top Stories
Turnbull introduces data retention legislation
Still no definition of metadata to be stored.
 
Images: the next frontier in data analytics?
Barclay’s global data chief says we’re still at the starting line.
 
Crime Commission prepares core systems overhaul
Will replace 30 year-old national criminal database.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  27%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  21%
 
End user computing (desktops, mobiles, apps)
  14%
 
Software development
  26%
TOTAL VOTES: 414

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  55%
 
No
  45%
TOTAL VOTES: 194

Vote