Jump to content
Tuts 4 You

IEEE Software Taggant System For Exposing Malware Creators...

Teddy Rogers

Recommended Posts

Teddy Rogers

IEEE Software Taggant System For Exposing Malware Creators

Well... I have been hearing and reading about this everywhere for a while now. Numerous packer and protector developers have already been trumping this up as the bee-all for software developers who use their packer/protector products as a means to stop false positives and at the same time be used to identify/flag stolen or bogus protector licences used on files. For those who do not know (yet) if it becomes standard we may see this being common place.

The IEEE Standards Association (IEEE-SA) Industry Connections Security Group (ICSG) today announced a call for proposals to develop software libraries for the new IEEE Software Taggant System. By enabling the identification of specific users of binary "packer" software and the blacklisting of misused license keys, the IEEE Software Taggant System is designed to expose creators of malware (malicious software such as viruses, worms and spyware) and improve computer security.


How practical and to what purpose it will end up serving exactly I still have doubts to. Have a read and share your thoughts...



Link to comment
Share on other sites

  • 1 month later...
  • 2 weeks later...

You don't _have_ to sign up. However, you might consider it if:

- you use file format tricks that make debugging difficult;

- you masquerade as another packer, such that unpacking fails because of the mismatch;

- you use anti-debugging/anti-emulator/anti-VM/etc tricks

and so on, resulting in triggering heuristics in AV software.

or, perhaps:

- you offer the product for retail sale and are concerned about stolen licences;

- you are concerned about your packer being used by malware authors and risking being blacklisted as a result

Link to comment
Share on other sites

Basically the idea is to make your packer less suspicious/prone to detection as false positive by adding information that can help identify the packer and/or licensee. That way AVs can ban specific licenses instead of blacklisting a whole protector and all its customers.

Nobody makes you do it, and I don't think AVs will start flagging everything that doesnt comply with this system. But that risk is for you to take.

It boils down to this:

Do you pack your software with protectors that have hardcore antidebug/obfuscation/vm? Do you want to avoid being flagged by AVs? Then you should be looking for/modifying your protector so it complies with that system.

Anyone else probably shouldn't have to care about it.

Link to comment
Share on other sites

Peter Ferrie

If it's just for you then there's no problem for you.

The system is for the packers that are used everywhere, like Obsidium, Enigma, etc.

Link to comment
Share on other sites

So de-watermarking is going to be popular soon.

Depending on the method of encoding the licence key

information it may be possible for malware authors to

spoof or sabotage them. This can be mitigated by ensuring

that any tampering with the licence information results in a

failure on the part of the packer to execute the target object.

Good luck with that since one can inline all known packers.

Edited by quosego
Link to comment
Share on other sites

Peter Ferrie

However, if a packer's version is known to support the taggant, and if the taggant is not present, then we can report that the file has been modified.

Spoofing the key is currently not known to be possible, based on the strength of the cipher that will be used.

Link to comment
Share on other sites

It's all in the RFP, if you need detailed information:

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...