Rachit Mathur McAfee
Aditya Kapoor McAfee
This paper will present the most up-to-date techniques used by malware to hide in the crowd, e.g. using innocent-looking code or masquerading as a legitimate packer, MSVC file or corrupt file, etc. We will discuss smart universal rules that can be applied by any AV to block malware from using these techniques. For example, such rules can be as simple as blocking the use of the .reloc section name for anything other than relocations. More complex rules may include blocking all files that use call obfuscations except for a few known packers, or preventing checks on the process default heap header except Themida, etc. To counter the upsurge of these masquerading malware we have been enforcing such policies by looking at millions of clean applications and malware. We will show how these detection rules have helped McAfee change the landscape of obfuscation techniques - even forcing some of these techniques to become obsolete in the wild, thus limiting the playground for malware.
This presentation will also discuss our experiences with building file reputations using these rules to enforce separation of malicious files from clean applications. Finally, we discuss the question of how far we can and should go in enforcing such rules. Are these justified or do they encroach on the right to freedom of programming?