Analyzing Packed Malware

Introduction

Malware is created with deception in mind. Malware authors want to go undetected in order to steal, alter or delete as much information as possible. 

Obfuscating malware is a way to keep the files associated with the malware from detection and easy analysis. Packing is a type of obfuscation technique.

Obfuscation

Obfuscation takes code and basically makes it unreadable without destroying its intended functionality. This technique is used to delay detection and/or to make reverse engineering difficult. Obfuscation does have legitimate purpose. It can be used to protect intellectual property or other sensitive code.

Packing 

Packing is a subset of obfuscation. A packer is a tool that modifies the formatting of code by compressing or encrypting the data. 

Though often used to delay the detection of malicious code, there is still legitimate use for packing. Some legitimate use includes protecting intellectual property or other sensitive data from being copied.

A stub is a small portion of code that contains the decryption or decompression agent used to decrypt the packed file

The packing process consists of:

  1. The original code is uploaded into the packer tool and goes through the packer process to compress or encrypt the data
  2. The original portable executable header (PE header, which consists of executable image and object files) and original code are compressed or encrypted and stored in the packed section of the new executable
  3. The packed file consists of:
    1. New PE header
    2. Packed section(s)
    3. Decompression stub — used to unpack the code
  4. During the packing process, the original entry point is relocated/obfuscated in the packed section. This is important for anyone trying to analyze the code. This process makes identifying the import address table (IAT) and original entry point difficult
  5. The decompression stub is used to unpack the code upon delivery

Some malware (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Tyra Appleby. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/_qrSGikj5tY/