Dealing with Virtualization packers

Boris Lau, Sophos Plc, United Kingdom

There is a trend for packers to use virtualization technology to protect their samples. These virtualization packers translate the original code of the sample into their own unique set of instructions which is then interpreted by the embedded virtual machine. Unpacking samples protected by a virtualization packer is very expensive in terms of both analysis effort and efficiency of unpacking. Sometimes it is even impossible to restore the sample into its original machine code since virtualization is implemented at source level. Generic detection of these packed samples is extremely difficult with traditional anti-virus unpacking technology.

In this paper, we will discuss a new technique to deobfuscate these Virtualization packers. We will utilize "DSD-tracer" (a malware analysis

framework which was previously presented at Virus Bulletin 2007) to achieve semi-automated analysis of samples to establish the architecture of the Virtual Machines. We will also illustrate our research by providing some insight into how to deal with existing commercial Virtualization protectors such as Themida, ExeCryptor and VMProtect, which are often seen with in-the-wild malware samples.