Skip to main content
SpringerLink
Log in

Anti-emulation trends in modern packers: a survey on the evolution of anti-emulation techniques in UPA packers

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

Writing modern day executable packers has turned into a rather profitable business. In many cases, the reason for packing is not protecting genuine applications against piracy or plagiarism, but rather avoiding reverse-engineering and detection of malicious samples. Unlike developers, which show moderate interest for using a packer and lack time and resources for creating one, malware creators show a huge interest and are willing to spend large amounts of money to use this technology (especially if it offers protection against security solutions). This happens mainly because protecting from piracy and plagiarism isn’t that profitable as spreading new and undetected malware on as many computers as possible. Consequently, creating a custom packer designed to avoid malware detection has grown into a very profitable business.

However, developing a good packer is not an easy task to accomplish. Novel techniques of achieving anti-static analysis, anti-virtual machine, anti-sandbox, anti-emulation, anti-debugging, anti-patching, and so on, have to be discovered and added regularly. From the malware creator’s perspective, this must happen frequently enough so that the updates are issued shortly after malware researchers analyze and bypass the existing mechanisms because, once these techniques are bypassed, the detection rate increases in the case of the malware samples packed with the old version of the packer.

In this paper, we present our findings which resulted from closely monitoring the fight between malware researchers and packer developers during a period of almost two years. We focus on three different packers used for prevalent malware families like Upatre, Gamarue, Hedsen. We named those packers UPA 1, UPA 2, and UPA 3 and we discuss the mechanisms used in them to achieve anti-emulation. Each technique is presented by listing the code and explaining the inner workings in details. In the end, we manage to get a grasp of the current trends in achieving anti-emulation when developing modern packers.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

Notes

  1. https://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx

  2. http://www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx

References

  1. Branco, R.R., Barbosa, G.N., Neto, P.N.: Scientific but not academical overview of malware anti-debugging, anti-disassembly and anti-vm technologies. Blackhat, Las Vegas (2012)

    Google Scholar 

  2. Quist, D., Smith, V.: Covert debugging circumventing software armoring techniques. Black Hat Briefings, Las Vegas (2007)

    Google Scholar 

  3. Issa, A.: Anti-virtual machines and emulations. J. Comput. Virol. 8(4), 141–149 (2012). doi:10.1007/s11416-012-0165-0

    Article  Google Scholar 

  4. Chubachi, Y., Aiko, K.: Tentacle: Environment-sensitive malware palpation

  5. Ferrie, P.: Anti-unpacker tricks–part one. Virus Bull. 4 (2008). http://www.virusbtn.com/pdf/magazine/2008/200812.pdf

  6. Yason, M.V.: The art of unpacking (2007). Retrieved 12 Feb 2008

  7. Tan, X.: Anti-unpacker tricks in malicious code. In: Proceedings of 10th Annual AVAR International Conference (2007)

  8. Ferrie, P.: The ultimate anti-debugging reference, p 14. Tech. rep. (2011)

  9. Falliere, N.: Windows anti-debug reference (2007). Retrieved 1 Oct 2007

  10. Gao, S., Lin, Q., Xia, M., Yu, M., Qi, Z., Guan, H.: Debugging classification and anti-debugging strategies. In: Fourth International Conference on Machine Vision (ICMV 11), pp. 83503C–83503C. International Society for Optics and Photonics (2011)

  11. Chen, X., Andersen, J., Mao, Z. M., Bailey, M., Nazario, J.: Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In: The 38th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2008, June 24–27, 2008, Anchorage, Alaska, USA, pp. 177–186 (2008)

  12. Shields, T.: Anti-debugging–a developers view. Veracode Inc., USA (2010)

  13. Qi, Z., Li, B., Lin, Q., Yu, M., Xia, Mingyuan, Guan, Haibing: SPAD: software protection through anti-debugging using hardware-assisted virtualization. J. Inf. Sci. Eng. 28(5), 813–827 (2012)

    Google Scholar 

  14. Yi, T., Zong, A., Yu, M., Gao, S., Lin, Q., Yu, P., Ren, Z., Qi, Z.: Anti-debugging framework based on hardware virtualization technology. In: ICRCCS’09 International Conference on Research Challenges in Computer Science, IEEE, pp. 218–220 (2009)

  15. Linn, C., Debray, S.K.: Obfuscation of executable code to improve resistance to static disassembly. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS 2003, ACM, Washington, DC, October 27–30, 2003, pp. 290–299

  16. Aycock, J., deGraaf, R., Jacobson Jr., M.: Anti-disassembly using cryptographic hash functions. J. Comput. Virol. 2(1), 79–85 (2006)

    Article  Google Scholar 

  17. Krügel, C., Robertson, W.K., Valeur, F., Vigna, G.: Static disassembly of obfuscated binaries. In: Proceedings of the 13th USENIX Security Symposium, August 9–13 2004, San Diego, CA, USA, pp. 255–270 (2004)

  18. Ferrie, P.: Attacks on virtual machine emulators. Symantec Adv. Threat Res. (2008)

  19. Ferrie, P: Attacks on more virtual machine emulators. Symantec Technol. Exch. 55 (2007)

  20. Ormandy, T.: An empirical study into the security exposure to hosts of hostile virtualized environments. 2007. Ce court article de recherche analyse la sécurité de quelques solutions de virtualisation, dont certaines traitées dans mon mémoire. Lauteur analyse la robustesse et la résilience des applications testées (2007)

  21. Reuben, J.S.: A survey on virtual machine security, vol. 2, p 36. Helsinki University of Technology. http://www.tml.tkk.fi/Publications/C/25/papers/Reuben_final.pdf (2007)

  22. Danny, Q., Smith, V.: Detecting the presence of virtual machines using the local data table. Offens. Comput. (2006)

  23. Lau, B., Svajcer, V.: Measuring virtual machine detection in malware using DSD tracer. J. Comput. Virol. 6(3), 181–195 (2010)

    Article  Google Scholar 

  24. Raffetseder, T., Krügel, C., Kirda, E.: Detecting system emulators. In: Information Security, 10th International Conference, ISC 2007, Valparaíso, Chile, October 9–12, pp. 1–18 (2007)

  25. Kang, M.G., Yin, H., Hanna, S., McCamant, S., Song, D.: Emulating emulation-resistant malware. In: Proceedings of the 1st ACM workshop on Virtual machine security, pp. 11–22. ACM (2009)

  26. ODea, H.: The Modern Roguemalware with a Face. In: Proceedings of the Virus Bulletin Conference (2009)

Download references

Author information

Authors and Affiliations

  1. Alexandru Ioan Cuza University, Iasi, Romania

    Cătălin Valeriu Liţă, Doina Cosovan & Dragoş Gavriluţ

Authors
  1. Cătălin Valeriu Liţă
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Doina Cosovan
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Dragoş Gavriluţ
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Doina Cosovan.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Liţă, C.V., Cosovan, D. & Gavriluţ, D. Anti-emulation trends in modern packers: a survey on the evolution of anti-emulation techniques in UPA packers. J Comput Virol Hack Tech 14, 107–126 (2018). https://doi.org/10.1007/s11416-017-0291-9

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-017-0291-9

Keywords

Search

Navigation