LAST-MINUTE PAPER: IEEE Software Taggant System

Mark Kennedy Symantec
Igor Muttik McAfee

  download slides (PDF)

Packed files are a huge problem in the software security world. Many attackers use packers to create polymorphic code to defeat anti-malware signature systems. The Software Taggant System is designed to address this. In the physical world, a taggant is a physical marker added to explosives at manufacturing so that either pre or post explosion the manufacturer can be determined. In the software world the taggant will allow security vendors to determine what packer licence key was used to create a given packed file. The taggant is cryptographically secure so it cannot be spoofed. When a malware author creates a malicious file and packs it the taggant is added. This way security vendors can blacklist various licence keys while allowing other good files with non-blacklisted keys to run. Any attempt to spoof the system is easily identified and those files blocked. This system is the result of an unprecedented cooperation between the software security vendors and the software packer providers.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.