Casey Sheehan, who runs our core antimalware team (the group that is developing our next-generation antimalware engine here at Sunbelt), had an interesting presentation at VirusBulletin in Vienna, entitled “Pimp my PE: taming malicious and malformed executables” (PE is the file format used for programs, DLLs, etc. in Windows). PE files have a specific, documented structure. Malware authors often perform deliberate malformations to confuse antivirus engines. This paper deals with that challenge:
Abstract
A foundational requirement in the security world is the capability to robustly parse and analyze Windows Portable Executable files. Coping with the full spectrum of PEs found in the wild is, in fact, quite challenging. While white files are typically well structured, malicious files can be quite difficult to analyze, often due to deliberate malformations intended to stymie static analysis. In this paper we will survey and attempt to classify some common and interesting malformations we have studied in our work at Sunbelt Software. We will analyze PE structural information, discuss the PE specification, and highlight specific hurdles we have overcome in the course of developing a parsing facility capable of dealing reliably with the full range of images found in the wild, especially malware. We will also cover specific problems we faced along the way, examine structural heuristics we’ve developed in the course of classifying common malformations, and include a discussion of some interesting tools and techniques we’ve developed.
The subject matter is highly technical, but for those interested, I’ve posted the following files:
Paper: (pdf)
Referenced program, PeSweep.exe, here
(270,336 bytes; MD5 283668a022766c1505debd540d7dae91)
Alex Eckelberry