Simulating the environment to prevent packers from being unpacked

Dissertation for Master Degree (M.Sc)

Field: Computer Engineering Major: Software

Abstract

The usual way to deal with packers includes the following steps:

1.  Identify a packer. To identify a packer, it must be assigned to a packer group. Doing this is not as easy as it seems. There are many packers whose code is static, and which can be identified using simple strings. But many packers use polymorphic code to change their appearance, and some packers deliberately use fake strings from other packers or standard compiler code, to fool the detection program.

2. Identify a packer. This stage is beyond identification. To identify a packer, you must classify it into an existing version or assign it to a new version. The ability to identify a packer is essential for successful unpacking, because there may be enough different members in a group that an unpacker specific to one group member cannot be used for another member of the same group.

3. Create an identifier program. The previous two steps were usually performed by a human, or by programs such as neural network programs trained in conjunction with packers assigned to known groups. This step, in contrast, is to write a program whose function is only to identify that group, and possibly that particular member.

4. Create an unlock app. Unlike the detection program, whose purpose is only to identify the packer, the unpacker program actually performs the actions of the corresponding photo packer, and recovers the packed binary as much as possible in its original form, including its metadata such as the PE header for Win32 binaries.

In this research, based on a new idea, we want to be able to prevent packers from being packed without the presence of debuggers without using the usual methods mentioned. to invent In this case, with the help of identifying the types of footprints that a debugger leaves in the environment where it is present, we can prevent packages from opening by changing the environment to show the signs of the presence of malware.

Introduction

An increasing percentage of malware programs that are released uncontrollably are packed by packers. Packers are programs that change the form of an input binary without changing its executable meaning to create new types of malware that can evade signature-based malware detection tools.

Today, malware authors rely more on packers than directly obfuscating malware code. Packers are programs that change the form of an executable binary into another form so that it can escape signature-based antivirus scanners by shrinking or looking different from its original form. In many cases, malware authors frequently use different combinations of multiple packers for the same malware to quickly create a large number of binaries of various forms for uncontrolled release. The fact that more and more binaries are packed seriously reduces the effectiveness of signature-based antivirus scanners; It also leads to an exponential increase in the size of the anti-virus signature, because when the anti-virus program cannot effectively unpack a packaged threat, it has no choice but to create a separate signature for that threat. Gunacon companies report different numbers, but it is generally accepted that more than 80% of malware is packaged. These malware samples are often "packaged" rather than packed, as many packers modify the original form of the input binaries in a way that does not necessarily involve compression.

The first computer viruses appeared in the early 80s and were mostly simple self-replicating files created for fun and laughs. In 1986, the report of the first virus that targeted Microsoft's MS-DOS operating system on personal computers was published.In fact, the Brain virus is known as the first virus of this type. Also, in early 1986, we saw the first file virus named Virdem and the first Trojan (a program that looks useful or harmless but is actually designed to steal information or damage the host computer) named PC-Write. The mentioned Trojan had positioned itself as a popular Word Processor application. As more people became aware of virus technology, the number of viruses, the number of target platforms [1] for attacks, the complexity of viruses and their diversity increased. In a period of time, viruses focused on boot sectors[2] and after that they started infecting executable files. In 1988, the first Internet worm (a type of malware that uses malicious code to automatically spread from one computer to another over a network) appeared. The Morris worm has led to significant slowdowns in Internet communications, and in response to this attack and a number of similar attacks, the Computer Incident Response Group was established to maintain Internet stability through coordinated incident response. The mentioned group is supported by Carnegie Mellon University, USA. It was launched in 1990 as a place for virus writers to exchange and share their knowledge. The first book on writing viruses was also published, and the first polymorphic virus (commonly referred to as chameleon or Cas, r portable executable file) was developed. A polymorphic virus is a type of malware that uses an unlimited number of cryptographic algorithms to counter detection. Polymorphic viruses have the ability to change themselves every time they replicate. This ability hides them from signature-based antivirus programs designed to detect viruses. In this way, in the early 90s, the news of the first multiform virus attack called Tequila was published, and then in 1992, the first multiform virus engine and virus writing tool emerged. After that, the viruses became more perfect day by day. Some viruses started accessing the email address book and sending themselves to those addresses; Macro viruses attach themselves to the files of applications such as Office and attack them; and viruses written specifically to exploit vulnerabilities in operating systems and applications. Emails, file sharing (P2P) networks, websites, shared drives, and product vulnerabilities are all exploited to spread and attack viruses. (infiltration paths or serial network entry points created by malware) were created on infected systems to open the way for virus writers and hackers to return to run arbitrary software. In this article, we mean a hacker is a computer programmer or its user who intends to access a computer or network illegally. Some viruses have a built-in email engine that forces the infected computer to spread the virus directly by sending an email. Virus writers have also begun to carefully design their attack architectures using social engineering. Along with this evolution of malware, antiviruses have also evolved well. Currently, most of the anti-viruses in the market operate on the basis of virus signature, that is, identifying the characteristics of a malware to detect harmful codes. For this reason, in the time interval between the release of a new virus and the identification of its signature and its distribution among different antiviruses, a sudden growth in the rate of virus infection is observed. But as soon as its signature is detected, the process of infection will decrease.

1-2- Packaged malware [3]

Today, malware authors rely more on packaged instead of directly complexing the malware code. Packaged are programs that change the form of an executable binary into another form to evade signature-based anti-virus scanners by shrinking or looking different from its original form. In many cases, malware authors repeatedly use different combinations of multiple packages for the same malware to quickly create a large number of binaries of various forms for uncontrolled release.