Jump to content
Tuts 4 You

IEEE Software Taggant System For Exposing Malware Creators...

Teddy Rogers

By Teddy Rogers
in Malware Reverse Engineering

 Share

Recommended Posts

Teddy Rogers

Teddy Rogers

Posted
Posted

IEEE Software Taggant System For Exposing Malware Creators

Well... I have been hearing and reading about this everywhere for a while now. Numerous packer and protector developers have already been trumping this up as the bee-all for software developers who use their packer/protector products as a means to stop false positives and at the same time be used to identify/flag stolen or bogus protector licences used on files. For those who do not know (yet) if it becomes standard we may see this being common place.

The IEEE Standards Association (IEEE-SA) Industry Connections Security Group (ICSG) today announced a call for proposals to develop software libraries for the new IEEE Software Taggant System. By enabling the identification of specific users of binary "packer" software and the blacklisting of misused license keys, the IEEE Software Taggant System is designed to expose creators of malware (malicious software such as viruses, worms and spyware) and improve computer security.


/>http://standards.ieee.org/news/2011/icsg_software.html

How practical and to what purpose it will end up serving exactly I still have doubts to. Have a read and share your thoughts...

Ted.

packerstandards.pdf

  • 1 month later...
mudlord

mudlord

Posted
Posted

http://standards.ieee.org/news/2011/icsg_software.html

As a person who is currently coding a packer for my own software, I find this utterly absurd.

Why on earth do us packer authors (open source and otherwise), have to sign up to such a scheme?

To have my own packer accredited for my own use is insane.

  • 2 weeks later...
Peter Ferrie

Peter Ferrie

Posted
Posted

You don't _have_ to sign up. However, you might consider it if:

- you use file format tricks that make debugging difficult;

- you masquerade as another packer, such that unpacking fails because of the mismatch;

- you use anti-debugging/anti-emulator/anti-VM/etc tricks

and so on, resulting in triggering heuristics in AV software.

or, perhaps:

- you offer the product for retail sale and are concerned about stolen licences;

- you are concerned about your packer being used by malware authors and risking being blacklisted as a result

mudlord

mudlord

Posted
Posted

Ah, so as long as I use my packer for my own means, and don't attempt to obfuscate what it does, its fine?

Killboy

Killboy

Posted
Posted

Basically the idea is to make your packer less suspicious/prone to detection as false positive by adding information that can help identify the packer and/or licensee. That way AVs can ban specific licenses instead of blacklisting a whole protector and all its customers.

Nobody makes you do it, and I don't think AVs will start flagging everything that doesnt comply with this system. But that risk is for you to take.

It boils down to this:

Do you pack your software with protectors that have hardcore antidebug/obfuscation/vm? Do you want to avoid being flagged by AVs? Then you should be looking for/modifying your protector so it complies with that system.

Anyone else probably shouldn't have to care about it.

mudlord

mudlord

Posted
Posted

And if thats the case, is there any prices for conforming with this system if the packer is only for one's personal use and no one elses?

Peter Ferrie

Peter Ferrie

Posted
Posted

If it's just for you then there's no problem for you.

The system is for the packers that are used everywhere, like Obsidium, Enigma, etc.

mudlord

mudlord

Posted
Posted

Ah, thanks for the info. Much appreciated. :)

quosego

quosego

Posted
Posted (edited)

So de-watermarking is going to be popular soon.

Depending on the method of encoding the licence key

information it may be possible for malware authors to

spoof or sabotage them. This can be mitigated by ensuring

that any tampering with the licence information results in a

failure on the part of the packer to execute the target object.

Good luck with that since one can inline all known packers.

Edited by quosego
Peter Ferrie

Peter Ferrie

Posted
Posted

However, if a packer's version is known to support the taggant, and if the taggant is not present, then we can report that the file has been modified.

Spoofing the key is currently not known to be possible, based on the strength of the cipher that will be used.

mudlord

mudlord

Posted
Posted

How big is the taggant information? A couple hundred bytes?

Killboy

Killboy

Posted
Posted

It's all in the RFP, if you need detailed information:
/>https://standards.ieee.org/develop/indconn/icsg/taggant_rfp.zip

deepzero

deepzero

Posted
Posted

Seems like a good thing to me. :)

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...