Methodology for Test of Packers Support in Antiviruses (September 2006)

How antivirus monitors (on-access scanners) work

The principal function of an antivirus monitor (which may also be known as a real-time scanner or on-access scanner) is to monitor all attempts to access operations on the protected computer.

Whenever an object on the hard drive is accessed (read, executed, written, etc.), the antivirus monitor will first scan the object. If no viruses are detected, the control is returned to the system and the file operation is allowed. If a virus is detected, the antivirus product performs the actions specified in its settings, e.g., deletes the object, blocks the file operation, etc.

Therefore, when a real-time scanner is running, there is no danger of the system becoming infected, provided that the antivirus product meets all contemporary security requirements.

Differences between packers and archiving utilities

Differences between packers (protectors, encryption tools) and archiving utilities.

There are a large number of utilities on the Internet that compress, encrypt and protect various files. Naturally, these programs were developed for good reason, but unfortunately, they are also successfully used by virus writers to hide malicious code from analysis and detection.

Below we discuss the following program types:

  1. Archiving utilities (archivers).
  2. Compression utilities (packers).
  3. Protectors and encrypters. 

Archivers

This is the most commonly used type of utility, which includes ZIP, RAR, CAB, etc. A special program (archiver) needs to be installed on the computer to make it possible to archive and extract files. For a file in an archive to be accessed (read, executed, etc.), it needs, first, to be unpacked by the archiver and saved to a temporary folder on the hard drive.

In this case, a real-time antivirus scanner will protect the computer from infection even if it is unable to scan (and disinfect) archives, since it will scan the file when the archiving utility saves it to the temporary folder.

Even self-extracting archives, which do not require an installed archiving utility to extract the files, always unpacks files to a temporary folder on the hard drive.

Packers

Packing tools are not as commonly used by average users. Representatives of this group include UPX, ASPack, etc. These programs work only with certain types of file, mostly, executable files and DLLs. As with archivers, it takes a program installed on the computer to pack a file. However, a special program is not needed for running a packed executable file.
 
Figure 1: The packing process

 

Moreover, unpacking and the execution of the file is performed without accessing the hard drive, unlike extracting files from an archive.
The upshot of this is that, if an antivirus program does not recognize a packer’s format, the protection (real-time scanner) will be useless, because malicious code will be loaded into RAM in its compressed form, then unpacked and executed in RAM without accessing the hard drive. There will be no alert from the antivirus program.

Protection / Encryptions tool

These programs are often used by software developers to protect software. They are similar to packers, but they encrypt programs in addition to compressing them. The loader of an encryption tool (see Figure 1) also uses a large number of other methods to protect the program from being hacked and its code from being analyzed.

Selection of packers for the testing of antivirus programs

How many universal packers exist in the world today? According to our conservative estimate, there are over 100 types, but some specialists believe this number to be close to 200. Using this arsenal of specialized software, virus writers create new modifications of the same viruses with hardly any effort.

As soon as a new virus appears, it can be processed using a packer or encryption tool (this takes mere seconds), verified to ensure that it is operational and sent out into the world. As a result, there will be two modifications of the same virus on the Internet.
Some antivirus vendors try to solve the problem the easy way. They add signatures for viruses and their modifications (including packed versions) to their antivirus databases, but do not include support for packing utilities. As a result, when a newly-packed virus appears, these vendors need to add a new signature to their antivirus databases. However, if an antivirus product supports the packer, the new virus modification is detected automatically, without having to add a new signature to the database.

Naturally, not all antivirus vendors use this approach. But, packers and encryption tools are regularly updated and antivirus vendors need to keep track of these new versions in the same way that they track the appearance of new viruses.

After many consultations with antivirus vendors and independent experts, we selected 21 types of packer out of the variety that exists today.

The choice of packers was based on the following criteria:

  1. The popularity of a particular packer among virus writers.
  2. Our own analysis of packers and their use as a tool to conceal malicious code.

We used the latest versions of packers publicly available on the Internet at the time of testing.

Testing methodology

The testing of antivirus solutions for their support of packer utilities is performed by Anti-Malware.ru experts on a regular basis. We closely track new versions of various packers appearing on the Internet and analyze the popularity of their different versions and modifications.

Moreover, the Anti-Malware.ru project has close ties with several antivirus companies, which provide information on the use of different packers by virus writers.
The list of packers is prepared based on the information received. One week prior to testing, the versions of packers to be used in the testing are selected. This information is available to antivirus vendors.

During the same period, 5 to 10 virus samples are selected. The selection should represent different types of malicious code (viruses, worms, Trojans, spyware, keyloggers, etc.). The main requirements for sample selection is that they should not be packed and should be successfully detected in this form by all antivirus products to be tested. Information about the selected samples of malicious code to be used during testing is not provided to antivirus developers until after testing is completed.

Testing steps:

  1. The virus samples selected are packed using the packers selected. The result is X modifications of each virus, where X is the number of packers used in the test.
  2. Then, each copy is verified, i.e., checked to ensure that it correctly perform all of its functions after packing.
  3. The test per se is conducted, i.e., the latest versions of antivirus products with up-to-date databases are tested for detection of the packed viruses.

Steps 1 and 2 are performed during the week preceding testing, but, after the packer versions have been officially selected. If a virus fails to perform its functions after being compressed with a packer, this virus modification is excluded from testing.

As stated above, testing is conducted on the latest versions of antivirus software with the latest updates installed.

The frequency of testing is determined by the Anti-Malware.ru project team depending on the appearance of new packer versions, changes in the popularity of individual packers and analysis of data provided by different vendors. Testing is conducted at least four times a year.

Packers detected by all antivirus products tested are not included in the subsequent round of analysis, unless their versions (algorithms, methods used, etc.) change.