12 replies to this topic

[Teddy Rogers]

IEEE Software Taggant System For Exposing Malware Creators

Well... I have been hearing and reading about this everywhere for a while now. Numerous packer and protector developers have already been trumping this up as the bee-all for software developers who use their packer/protector products as a means to stop false positives and at the same time be used to identify/flag stolen or bogus protector licences used on files. For those who do not know (yet) if it becomes standard we may see this being common place.

Quote

The IEEE Standards Association (IEEE-SA) Industry Connections Security Group (ICSG) today announced a call for proposals to develop software libraries for the new IEEE Software Taggant System. By enabling the identification of specific users of binary "packer" software and the blacklisting of misused license keys, the IEEE Software Taggant System is designed to expose creators of malware (malicious software such as viruses, worms and spyware) and improve computer security.

http://standards.iee...g_software.html

How practical and to what purpose it will end up serving exactly I still have doubts to. Have a read and share your thoughts...

Ted.

Attached Files

•  packerstandards.pdf   140.07K   42 downloads

[mudlord]

http://standards.iee...g_software.html

As a person who is currently coding a packer for my own software, I find this utterly absurd.
Why on earth do us packer authors (open source and otherwise), have to sign up to such a scheme?

To have my own packer accredited for my own use is insane.

[Peter Ferrie]

You don't _have_ to sign up.  However, you might consider it if:

- you use file format tricks that make debugging difficult;
- you masquerade as another packer, such that unpacking fails because of the mismatch;
- you use anti-debugging/anti-emulator/anti-VM/etc tricks

and so on, resulting in triggering heuristics in AV software.

or, perhaps:

- you offer the product for retail sale and are concerned about stolen licences;
- you are concerned about your packer being used by malware authors and risking being blacklisted as a result

[mudlord]

Ah, so as long as I use my packer for my own means, and don't attempt to obfuscate what it does, its fine?

[Killboy]

Basically the idea is to make your packer less suspicious/prone to detection as false positive by adding information that can help identify the packer and/or licensee. That way AVs can ban specific licenses instead of blacklisting a whole protector and all its customers.
Nobody makes you do it, and I don't think AVs will start flagging everything that doesnt comply with this system. But that risk is for you to take.

It boils down to this:
Do you pack your software with protectors that have hardcore antidebug/obfuscation/vm? Do you want to avoid being flagged by AVs? Then you should be looking for/modifying your protector so it complies with that system.
Anyone else probably shouldn't have to care about it.

[mudlord]

And if thats the case, is there any prices for conforming with this system if the packer is only for one's personal use and no one elses?

[Peter Ferrie]

If it's just for you then there's no problem for you.
The system is for the packers that are used everywhere, like Obsidium, Enigma, etc.

[mudlord]

Ah, thanks for the info. Much appreciated.

[quosego]

So de-watermarking is going to be popular soon.

Quote

Depending on the method of encoding the licence key
information it may be possible for malware authors to
spoof or sabotage them. This can be mitigated by ensuring
that any tampering with the licence information results in a
failure on the part of the packer to execute the target object.

Good luck with that since one can inline all known packers.

Edited by quosego, 06 October 2011 - 09:45 AM.

[Peter Ferrie]

However, if a packer's version is known to support the taggant, and if the taggant is not present, then we can report that the file has been modified.
Spoofing the key is currently not known to be possible, based on the strength of the cipher that will be used.

[mudlord]

How big is the taggant information? A couple hundred bytes?

[Killboy]

It's all in the RFP, if you need detailed information:
https://standards.ie...taggant_rfp.zip

[deepzero]

Seems like a good thing to me.