Standards body the IEEE has called for proposals to build a catalogue of people using binary “packers”, the software tools often used by malware writers to hide executable files from antivirus products.
The IEEE’s newly launched Software Taggant System borrows the idea of traceability from the explosives industry. It will aim to create a “marker” on the output of all certified packers in order to verify which license was used to create an executable file.
"The taggant concept and term are adopted from explosives, in which a chemical marker is added to allow tracing after an explosion,” explained Mark Kennedy, a Symantec Security Technology and Response group engineer.
However, to get the system up and running, the IEEE needs contributors to build software libraries for it, which would identify users of software packers and then be used to blacklist misused license keys. The outcome would be to allow antivirus vendors to focus attention on non-compliant packers.
“We think the IEEE Software Taggant System will drive malware developers away from compliant packers, which would both improve our chances of catching rogue operators and allow antivirus software to more efficiently process legitimate executable files created by packer software," said Kennedy.
The Industry Connections Security Group (ISCG), which developed the Taggant system for the IEEE, released its request for proposals at the Black Hat Technical Security conference in Las Vegas on Wednesday.
Igor Muttik, a senior architect with McAfee said it could solve a “big problem” that packer vendors and individual security companies had failed to. “Such a comprehensive solution would not have happened without ICSG," he said.
The problem that packers present for antivirus companies is that legitimate applications use the same “code-obfuscation” techniques that malware writers do, making it difficult to tell which ones to flag. This often led to false-positives, according to Michael Zunke, director of technology at SafeNet.