Anti-Reverse Technique Used in Malware

It is endless arm between security experts and hackers. Hacker discover new exploits or new attack vectors, in the same time security experts try to identify and block those attacks. In order to prevent detection or analysis, attackers employ some technique to avoid reverse engineering and detection.Following pic show that nearly 90% malware will employ some Anti-Re technique.

In Black Hat US 2012, Rodrigo Rubira Branco et al. classified anti-reverse technique into four type, Anti-Disassembly, Anti-Debugger, Obfucation and Anti-VM. In this article, I will summary anti-reverse technique based on this paper, and discussion each technique in other article . The distribution of Anti-Re is shown below.

This paper also summary the packer used in their observation. As this table show, most packer employed in malware is UPX. 

List below is famous packer used by malware with their function to anti-reverse engineering.

UPX

1. UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
   Anti-VM (SLDT)
   Anti-VM (IN)
   Push Pop Math
   Instruction Counting
   PEB NtGlobalFlag
   PEB's BeingDebugged (Stealth IsDebuggerPresent)
2. UPXv20MarkusLaszloReiser
   Anti-VM (SLDT)
   Anti-VM (IN)
   Push Pop Math
   Instruction Counting
   PEB's BeingDebugged (Stealth IsDebuggerPresent)
   SS register
3. UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser
   Anti-VM (IN)
   Push Pop Math
   Instruction Counting
   PEB's BeingDebugged (Stealth IsDebuggerPresent)
   SS register
4. UPX20030XMarkusOberhumerLaszloMolnarJohnReiser
   Anti-VM (IN)
   Push Pop Math
   Instruction Counting
   PEB's BeingDebugged (Stealth IsDebuggerPresent)
5. UPX293300LZMAMarkusOberhumerLaszloMolnarJohnReiser
   Anti-VM (IN)
   Instruction Counting
   PEB NtGlobalFlag
   PEB's BeingDebugged (Stealth IsDebuggerPresent)
6. UPXProtectorv10x2
   Nothing

Armadillo

1. Armadillov171
   Instruction Counting
   Instruction Substitution (push – ret)
2. Armadillov1xxv2xx
   Nothing

PECompact

    Anti-VM (STR)

    Anti-VM (SLDT)

    Anti-VM (IN)

    Push Pop Math

    PEB NtGlobalFlag

    PEB's BeingDebugged (Stealth

    IsDebuggerPresent)

    SoftICE – Interrupt 1

    Software Breakpoint Detection

    SS register

BobSoftMiniDelphiBoBBobSoft

    Anti-VM (STR)

    Anti-VM (SLDT)

    Anti-VM (IN)

    Push Pop Math

    PEB's BeingDebugged (Stealth IsDebuggerPresent)

    SoftICE – Interrupt 1

    SS register

ASPack

1. ASPackv212AlexeySolodovnikov
2. ASProtectV2XDLLAlexeySolodo
   Anti-VM (IN)
   PEB's BeingDebugged (Stealth IsDebuggerPresent)
   SS register
3. ASPackv10803AlexeySolodovnikov
   Anti-VM (IN)
   PEB's BeingDebugged (Stealth IsDebuggerPresent)
4. ASPackv21AlexeySolodovnikov
   PEB's BeingDebugged (Stealth IsDebuggerPresent)
   SS register

ProtectSharewareV11eCompservCMS

    Anti-VM (SLDT)

    Anti-VM (IN)

    Instruction Counting

    PEB's BeingDebugged (Stealth IsDebuggerPresent)

    Instruction Substitution (push – ret)

ASProtect13321RegisteredAlexeySolodovni kov ASProtectv12

    Anti-VM (STR)

    Anti-VM (SLDT)

    Anti-VM (IN)

    Push Pop Math

    PEB's BeingDebugged (Stealth IsDebuggerPresent)

    SoftICE – Interrupt 1

    Software Breakpoint Detection

    SS register

WiseInstallerStub

    Nothing

MaskPEV20yzkzero

    Anti-VM (SLDT)

    Anti-VM (IN)

    Push Pop Math

    PEB's BeingDebugged (Stealth IsDebuggerPresent)

    SS register

Reference

[1]  Rodrigo Rubira Branco, Gabriel Negreira Barbosa, Pedro Drimel Neto "Scientific but Not Academical Overview of Malware Anti-Debugging, Anti-Disassembly and Anti-VM Technologies", Black Hat US 2012