Can you see me now? Unpacking malware for advanced threat analysis.

A recent McAfee blog ‘Malware Packers Use Tricks to Avoid Analysis, Detection’, highlighted the use of packers as an effective way to slow down analysis and decrease detection by antimalware products.

As an engineer with a keen interest in malware, I’m very familiar with packers and the conclusion from that blog that ‘manual analysis usually defeats .’ Manual analysis can take time. Something that seems to be in short supply as of late.  I’ve found a McAfee product – McAfee Advanced Threat Defense (ATD)- that takes care of the packing problem for me, saving lots time and a few headaches too.

Let me explain: First, what’s a packer?

A packer, is a tool that can be utilized to compress, encrypt, or modify the format of a file. By packing a file, malware authors can obfuscate the content and disrupt analysis by threat detection tools. This technique may also be referred as “executable compression.” Compression of the file reduces the footprint or size of the file and can be an effective method to avoid or reduce the chance of the malicious file being detected, allowing for successful delivery of a payload. While an effective method, forcing the re-execution of code through a memory dump provides a solution to detect even the most advanced threats. So how is this accomplished? McAfee ATD provides an answer to detecting the most advanced and obfuscated code in packed or unpacked files.

When a packed sample arrives at McAfee ATD for analysis, the sample is loaded into memory and the packer associated with the sample unpacks the code, de-obfuscating the code during execution. At this point, several advanced detection engines are engaged, including dynamic analysis (observation of execution) and static code analysis (where the code – not just the behavior it exhibited in the sandbox – is scrutinized for any malicious behavior). After the sample has finished execution, McAfee ATD assesses the memory dump and maps the code. As sections of code are analyzed, family classification is performed on the buffered code based on known malicious behavior. Once the assessment of behavioral characteristics of the code is completed, a determination on whether the file is clean or malicious yields a reputation verdict. Quick. Easy. Done.

As mentioned in the previous blog, a rather effective method for defeating a packer is to manually analyze the file. McAfee ATD can help with that as well.  McAfee ATD offers manual analysis capabilities with its interactive mode, or X-Mode. Manually uploading a file to a McAfee  ATD appliance and enabling the X-Mode feature will allow users to choose their specified analysis environment or virtual machine (VM) to initiate the execution of a file. As the file is uploaded through this route, a user may open a window to the active VM denotating the file to observe and interact with the malware. This provides a deep investigative and forensic capability for a malware analyst to understand the behavior of the executed code.

A packer can prove to be an effective way to reduce the speed of analysis and even avoid it all together. With packed files that could typically fly under the radar undetected by traditional sandbox solutions, McAfee ATD provides ways to overcome this advanced method of detection avoidance from malware authors.

Leave a Comment

five + 2 =