Play by the rules? Should AV be enforcing the rules to prevent uncontrolled obfuscation by malware?

Rachit Mathur McAfee
Aditya Kapoor McAfee

This paper will present the most up-to-date techniques used by malware to hide in the crowd, e.g. using innocent-looking code or masquerading as a legitimate packer, MSVC file or corrupt file, etc. We will discuss smart universal rules that can be applied by any AV to block malware from using these techniques. For example, such rules can be as simple as blocking the use of the .reloc section name for anything other than relocations. More complex rules may include blocking all files that use call obfuscations except for a few known packers, or preventing checks on the process default heap header except Themida, etc. To counter the upsurge of these masquerading malware we have been enforcing such policies by looking at millions of clean applications and malware. We will show how these detection rules have helped McAfee change the landscape of obfuscation techniques - even forcing some of these techniques to become obsolete in the wild, thus limiting the playground for malware.

This presentation will also discuss our experiences with building file reputations using these rules to enforce separation of malicious files from clean applications. Finally, we discuss the question of how far we can and should go in enforcing such rules. Are these justified or do they encroach on the right to freedom of programming?


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.