Virus Bulletin Conference: This week, the blog will be silent as I’m going with a bunch of other Sunbelters to the Virus Bulletin Conference in Vienna. If you happen to be there, drop by our booth and say hello.
One of our senior researchers, Casey Sheehan, will have a very interesting presentation, entitled “Pimp my PE: taming malicious and malformed executables” (PE is the file format used for programs, DLLs, etc. in Windows).
From the abstract:
A foundational requirement in the security world is the ability to robustly parse and analyse Windows Portable Executable files. Many malicious PEs currently found in the wild are actually quite difficult to analyse, due to packing and purposely malformed header structures…
This fast-paced, highly technical presentation will survey and attempt to classify some common and interesting malformations we have examined in our work at Sunbelt Software. We will analyse PE structural information and demonstrate how tolerant the Windows loader is to fuzzing this data. We will discuss the PE specification and highlight specific hurdles we have overcome in the course of developing a parsing framework capable of dealing reliably with modern malware…
Casey is one of our most senior developers and is responsible for the development of our VIPRE engine, and his insights are quite interesting for those involved in reverse engineering malware.
Incidentally, Alex Shipp, who was part of the team that helped me on the Julie Amero case, will also be presenting some of his thoughts on the case.
AVAR (Association of anti Virus Asia Researchers): We will also have a presence at AVAR 2007, where Chandra Prakash (who is in the process of finishing up our next-generation anti-rootkit technology for release this fall), will be presenting a paper on “Design of X86 Emulator for Generic Unpacking” (faithful readers will recall that Chandra presented a paper at AVAR last year as well).
While the title of the paper sounds rather dry, the subject of generic unpacking is a fairly interesting one to antivirus researchers. To oversimplify, here’s why: Since the vast majority of malware is “packed” (compressed) using tools such as FSG or UPX, antivirus engines need to unpack them to see if what’s inside is bad. Many antivirus engines perform “static” unpacking, where an antivirus researcher writes a separate signature for each piece of malware that’s packed. This is obviously time consuming and has disadvantages in detecting new variants (it’s easy to fool a static unpacker). The solution that’s come about is to implement generic unpacking, which runs the malware inside of an emulator, thus allowing easier detection by the engine.
At any rate, if you’re at either conference, feel free to say hello. It’s easy to spot us: we’re the ones causing all kinds of trouble.
Alex Eckelberry