February 17, 2009
In This Issue
Tech Talk
News & Articles- 10 tips to protect your company in a down economy
- Assessing Your Endpoint Security Needs
- eEye Retina OnDemand: Security Vulnerability Management
- View All Media Coverage
Reader Q&A
Announcements- eEye Announces Industry First Appliance to Manage 200 Blink Security Agents
- eEye Adds Patent-Pending Protection For ActiveX Attacks
- eEye Digital Security Now Offering SQL Injection Protection For Microsoft IIS Servers
- View All Announcements
EtceteraWhat is a self-extracting executable and why should I care?
Self-extracting executables (SFX) have a simple purpose: they pack an executable file within itself in order to avoid reverse engineering. In other words, a binary file becomes encrypted (by itself) in order to not have its capabilities identified. A “packed” binary leaves nearly no signs of its intentions, and you would not be able to differentiate a benign binary from a malicious one if they are both packed
There are an incredible amount of “packers” available (if you know where to look) for packing binaries. Some packers use simple obfuscation techniques (simple XOR “encryption”), while others will tend to use complex methods (virtual command wrapping, etc). Many packers will also employ anti-debugging tactics in order to make dynamic reverse engineering more difficult. This makes it incredibly hard (but not impossible) to understand the true intention of an executable.
Packing is a useful technology to use to protect your binaries from reverse engineering (eEye Research developed our own packer for eEye products). However, SFX techniques are most commonly seen with malicious binaries. Simply put, they are used by attackers to pack their payloads (malware) to evade anti-virus detection or reverse engineering. This is not ground-breaking news, and is far from a new tactic, but it is incredibly effective even against the latest anti-virus vendors (all heuristic detection methods enabled).
As part of the eEye Preview Security Intelligence Service, our Preview customers drive many of our research projects. An inquiry came in asking about the effectiveness of SFX versus anti-virus vendors. Of course, we were not expecting the greatest results, but we ran some very thorough tests using very common trojans (for which there is 100% signature coverage) and packing them using a sample of the most common packers. This is not a vendor-bashing session by any means, so the names of the vendors have been scrubbed in the following visual:
As you can see, even the most common trojans are not being detected very well when they have the most common packers applied to them. Is this a problem on the part of the AV industry? Perhaps. Packers need to be detected better than they are currently being identified. However, this is a cat-and-mouse game that will continue to require a lot of attention from vendors.
Back to the “why should I care” part of the question. We are not here to spread FUD by any means, but end users and network protectors should understand that their anti-virus solution is most likely not being as proactive as they could be when it comes to identifying malicious binaries. This is changing (AV conferences are riddled with packer detection sessions), but as you might expect, you cannot rely solely on our anti-virus solution for malware protection. Keep thinking outside of the box on how to protect your network from malware outbreaks. Is it really necessary to allow incoming attachments via email? Should users really be allowed to download executables from internet sites? Are the internal hosts protected with a solid IPS?
The most important thing to remember is that the greatest amount of malware protection typically comes from simple techniques relating to basic security principles, not the advanced techniques employed by your anti-virus solutions.
We would be happy to give you any feedback on the binary with information on its intended purpose. You are welcome and encouraged to submit any suspicious files over to malware@eEye.com. Be sure to rename the .exe to .ex_, and password-protect it with a .zip to avoid any mail filters.
There are an incredible amount of “packers” available (if you know where to look) for packing binaries. Some packers use simple obfuscation techniques (simple XOR “encryption”), while others will tend to use complex methods (virtual command wrapping, etc). Many packers will also employ anti-debugging tactics in order to make dynamic reverse engineering more difficult. This makes it incredibly hard (but not impossible) to understand the true intention of an executable.
Packing is a useful technology to use to protect your binaries from reverse engineering (eEye Research developed our own packer for eEye products). However, SFX techniques are most commonly seen with malicious binaries. Simply put, they are used by attackers to pack their payloads (malware) to evade anti-virus detection or reverse engineering. This is not ground-breaking news, and is far from a new tactic, but it is incredibly effective even against the latest anti-virus vendors (all heuristic detection methods enabled).
As part of the eEye Preview Security Intelligence Service, our Preview customers drive many of our research projects. An inquiry came in asking about the effectiveness of SFX versus anti-virus vendors. Of course, we were not expecting the greatest results, but we ran some very thorough tests using very common trojans (for which there is 100% signature coverage) and packing them using a sample of the most common packers. This is not a vendor-bashing session by any means, so the names of the vendors have been scrubbed in the following visual:
As you can see, even the most common trojans are not being detected very well when they have the most common packers applied to them. Is this a problem on the part of the AV industry? Perhaps. Packers need to be detected better than they are currently being identified. However, this is a cat-and-mouse game that will continue to require a lot of attention from vendors.
Back to the “why should I care” part of the question. We are not here to spread FUD by any means, but end users and network protectors should understand that their anti-virus solution is most likely not being as proactive as they could be when it comes to identifying malicious binaries. This is changing (AV conferences are riddled with packer detection sessions), but as you might expect, you cannot rely solely on our anti-virus solution for malware protection. Keep thinking outside of the box on how to protect your network from malware outbreaks. Is it really necessary to allow incoming attachments via email? Should users really be allowed to download executables from internet sites? Are the internal hosts protected with a solid IPS?
The most important thing to remember is that the greatest amount of malware protection typically comes from simple techniques relating to basic security principles, not the advanced techniques employed by your anti-virus solutions.
We would be happy to give you any feedback on the binary with information on its intended purpose. You are welcome and encouraged to submit any suspicious files over to malware@eEye.com. Be sure to rename the .exe to .ex_, and password-protect it with a .zip to avoid any mail filters.
Source: Andre Derek Protas, Director of Research and Preview Services
The following articles represent the opinions of their respective authors. They do not necessarily represent the opinions of eEye Digital Security.
Tighten your security and tighten your belt at the same time. Quick-payoff strategies can help you stay on top of evolving security threats without neglecting your network infrastructure.
Full Article
Assessing Your Endpoint Security Needs: The key is to understand what needs protection and to find out what’s missing from your existing security strategies and solutions.
Full Article
eEye Retina OnDemand is a SaaS security vulnerability management package offering rapid deployment of Retina Security Management appliances.
Full Article
eEye and its security solutions have been covered by numerous press and media associations
Full Article
Q: How does eEye Research analyze malware?
A: We use a variety of tools. For mass analysis purposes (gigabytes of malware samples), we employ CWSandbox (http://www.sunbeltsoftware.com/Developer/Sunbelt-CWSandbox/), a great tool from Sunbelt Software. We also have our own internal malware scanning system that uses signatures and heuristic mechanisms to identify malicious binaries.
For manual analysis, we use Norman Sandbox (http://www.norman.com/News/Documents/casestudy_eEye.pdf/en) as a start, but typically perform live and static analysis w/reverse engineering.
Fire us a binary at malware@eEye.com and we'll take a look for you if you're stumped on something.
A: We use a variety of tools. For mass analysis purposes (gigabytes of malware samples), we employ CWSandbox (http://www.sunbeltsoftware.com/Developer/Sunbelt-CWSandbox/), a great tool from Sunbelt Software. We also have our own internal malware scanning system that uses signatures and heuristic mechanisms to identify malicious binaries.
For manual analysis, we use Norman Sandbox (http://www.norman.com/News/Documents/casestudy_eEye.pdf/en) as a start, but typically perform live and static analysis w/reverse engineering.
Fire us a binary at malware@eEye.com and we'll take a look for you if you're stumped on something.
Have a question you would like answered? Send it to versa@eEye.com, and win an eEye t-shirt if we select your question for an upcoming newsletter.
New product makes integrated security and threat management simple to help maximize organizations limited resources
Full Article
New technology provides solid protection and allows web-based script code to decrypt itself allowing for more powerful attack identification
Full Article
SecureIIS™ 3.0 Also Protects Against Buffer Overflow, Parser Evasion, Directory Traversal and General Exploitation Attacks
Full Article
eEye and its security solutions have been covered by numerous press and media associations.
Full Article
eEye Research has seen some staggering results from the recent influx in Blink Personal/Neighborhood Watch users. This data is offering eEye Research a distinct insight into host-based vulnerability and attack trends to offer enhanced protection into Blink. Keep an eye on the eEye Research Portal http://research.eeye.com/ for future projects that have arisen because of the mass use of Blink Personal including Neighborhood Watch reports and attack trends.
More
The monthly Vulnerability Expert Forum focuses on recently announced critical vulnerabilities - from Microsoft and other software vendors. eEye's Internet security experts will describe the actions necessary to protect your systems from the threats that target these vulnerabilities.
More