We
know for sure that cyber-criminals use private tools to check AV detection prior to releasing new malware in the wild, making sure it goes undetected by
AV signatures at the time of release. As AV companies identify new packers and
are able to inspect inside them (or simply identify the malicious packer itself),
the bad guys are releasing those which are not detected by most AV.
This
has transformed the packer world significantly. The "big name packers" are
decreasingly being used by malware. By contrast new packers types are surging
which have two main characteristics: (a) they are not widely used in order to
stay below the radar and (b) they use obfuscation or anti-debugging techniques.
What
we're seeing is that:
- Increasingly,
malware families use their own 'customized' or ‘private’
packers, which are not recognized by most AV engines. - There's
a large variety of packers, each with its own little variations, being
used by a reduced number of malware variants.
The
strategy these criminals are following is to quickly develop customized
variants of packers and use them in very few samples. By the time the AV
companies identify the samples and add the unpacking routine to their engines,
they already have a new batch of packing variations in store which is being
applied to the next batch of samples.
As
an exercise we’ve analyzed all the samples Panda has seen in-the-wild (actively
infecting two or more different sites) since August 2007 to March 2008 and
looked at the ‘big name packers’ used by these:
It’s
interesting to see how the ‘big name packers’ such as UPX, PECompact, Themida, PEtite
and NSPack are dropping in use, while smaller packers such as nPack, PolyEnE and
EXECryptor have increased in a significant way.
But what’s most interesting is what is not seen in the above summary
chart, and that is the ‘customized’ or ‘private’ packers. We know for a fact
that approximately 90% of malware uses some sort of packing or obfuscation
technique, yet the proportion of private, non ‘big name packers’ is increasing
rapidly.
Could
this be the start of the long-tail of packers?
But
when we try to analyze the true reasons behind this evolution in packer use
that’s when it starts getting really interesting. Other than the obvious reason
which is that bad guys are trying to make our jobs harder at the lab, how come
they started creating customized and private packer versions on a very regular
basis?
As
this is a cat and mouse game, the mice’s next move is directly determined by
the cat’s strategy for catching the mice. If we apply this example to the
packer/malware world, there are two main events in the AV industry which I
believe have driven malware authors to go into ‘packer-craze’:
- The
addition of many unpacking routines in AV engines as new packers emerged. - Starting
to detect malware based on its packing properties without unpacking it
(multi-packed files, packers used exclusively for malicious purposes,
etc.).
Now
I’m not saying the above actions are wrong. They were necessary at the time in
order to correctly protect customers and continue being necessary today if we
want to keep the pace.
I
remember a conversation with my colleague Mark from Symantec last year where we
talked about precisely this issue. If we start detecting all packers
proactively, what will the bad guys do next? I guess we’re about to see as the
packer problematic has completely blown out of proportion.