The 2nd International CARO (Computer Anti-Virus Researchers Organization) Workshop was held in the beginning of May, 2008 in Amsterdam, in The Netherlands. The central theme of this workshop was "technical aspects and problems caused by Packers, Decryptors and Obfuscators in the broadest sense".

Since Hungarian VirusBuster Ltd. has internationally recognized results in the research of exepackers, two security professionals of the firm held a presentation about the issue. On the first day of the Workshop Róbert Neumann, malware analyst from VirusBuster Ltd presented a set of specific unpacking strategies to quickly unpack simple, not-so-simple and even complex packers and protectors. The title of his demonstration was "Gone in (5x) Sixty Seconds". On the second day Gábor Szappanos, chief security researcher of Hungarian VirusBuster Ltd. gave a speech about "Exepacker blacklisting: theory and experiences".


The next CARO Workshop will be organized by VirusBuster in Budapest

CARO (Computer AntiVirus Researcher's Organization) is an informal group of individuals who have been working together since around 1990 across corporate and academic borders to study the whole of computer malware. Against its informal nature, CARO is recognized better than number of formalized groups of anti-virus professionals. CARO's historic joint project with EICAR (European Institute for Computer Antivirus Research) was the standard EICAR test file (EICAR Standard Anti-Virus Test File) that was created by CARO members and published by EICAR.

Because of CARO's international importance, and the quality of its activity the organization has been organizing the CARO Workshop since 2007. The first workshop was held on Iceland, and it focused on the testing of antiVirus solutions.

As a great international success, the 3rd, CARO 2009 Workshop will be held in Budapest, in the organization of the Hungarian VirusBuster Ltd.


About exepackers

In order to save disk space and download bandwidth, shareware/freeware applications have been compressed with runtime packers for many years. These runtime compressors or exepackers unpack the original program in memory, and transfer the execution.

Like other software developers, malware authors are also interested in minimizing size (e.g. when they have to transfer their executables from one PC to another during infection), and in making their programs difficult to harden the protection against them.

Almost all contemporary malware uses one or another exepacker or cryptor, so is natural to consider the packedness as a sign of malicious intent. Unfortunately, legacy programs also use packers, so a more granular approach is required from anti-malware developers. They must be mindful of the fact that exepackers are used in legitimate applications as well, so before any blacklisting, the software must be investigated thoroughly to minimize user impact.

Of course false positive detection happens from time to time, but compared to the advantage of detecting tens of thousands of new samples, the price of false positive detection is not high - especially if we consider that the false detections are fixed within one day, so users are not badly affected.

The benefits of exepacker blacklisting outweighs the - minimal and temporal - damages, and the proactive method helps to protect the customers better against unknown malwares.


Source: VirusBuster