Anti-emulation trends in modern packers: a survey on the evolution of anti-emulation techniques in UPA packers

  • Cătălin Valeriu Liţă
  • Doina Cosovan
  • Dragoş Gavriluţ
Original Paper


Writing modern day executable packers has turned into a rather profitable business. In many cases, the reason for packing is not protecting genuine applications against piracy or plagiarism, but rather avoiding reverse-engineering and detection of malicious samples. Unlike developers, which show moderate interest for using a packer and lack time and resources for creating one, malware creators show a huge interest and are willing to spend large amounts of money to use this technology (especially if it offers protection against security solutions). This happens mainly because protecting from piracy and plagiarism isn’t that profitable as spreading new and undetected malware on as many computers as possible. Consequently, creating a custom packer designed to avoid malware detection has grown into a very profitable business.

However, developing a good packer is not an easy task to accomplish. Novel techniques of achieving anti-static analysis, anti-virtual machine, anti-sandbox, anti-emulation, anti-debugging, anti-patching, and so on, have to be discovered and added regularly. From the malware creator’s perspective, this must happen frequently enough so that the updates are issued shortly after malware researchers analyze and bypass the existing mechanisms because, once these techniques are bypassed, the detection rate increases in the case of the malware samples packed with the old version of the packer.

In this paper, we present our findings which resulted from closely monitoring the fight between malware researchers and packer developers during a period of almost two years. We focus on three different packers used for prevalent malware families like Upatre, Gamarue, Hedsen. We named those packers UPA 1, UPA 2, and UPA 3 and we discuss the mechanisms used in them to achieve anti-emulation. Each technique is presented by listing the code and explaining the inner workings in details. In the end, we manage to get a grasp of the current trends in achieving anti-emulation when developing modern packers.


Malware Packer Reverse-engineering Anti-emulation 


  1. 1.
    Branco, R.R., Barbosa, G.N., Neto, P.N.: Scientific but not academical overview of malware anti-debugging, anti-disassembly and anti-vm technologies. Blackhat, Las Vegas (2012)Google Scholar
  2. 2.
    Quist, D., Smith, V.: Covert debugging circumventing software armoring techniques. Black Hat Briefings, Las Vegas (2007)Google Scholar
  3. 3.
    Issa, A.: Anti-virtual machines and emulations. J. Comput. Virol. 8(4), 141–149 (2012). doi: 10.1007/s11416-012-0165-0 CrossRefGoogle Scholar
  4. 4.
    Chubachi, Y., Aiko, K.: Tentacle: Environment-sensitive malware palpationGoogle Scholar
  5. 5.
    Ferrie, P.: Anti-unpacker tricks–part one. Virus Bull. 4 (2008).
  6. 6.
    Yason, M.V.: The art of unpacking (2007). Retrieved 12 Feb 2008Google Scholar
  7. 7.
    Tan, X.: Anti-unpacker tricks in malicious code. In: Proceedings of 10th Annual AVAR International Conference (2007)Google Scholar
  8. 8.
    Ferrie, P.: The ultimate anti-debugging reference, p 14. Tech. rep. (2011)Google Scholar
  9. 9.
    Falliere, N.: Windows anti-debug reference (2007). Retrieved 1 Oct 2007Google Scholar
  10. 10.
    Gao, S., Lin, Q., Xia, M., Yu, M., Qi, Z., Guan, H.: Debugging classification and anti-debugging strategies. In: Fourth International Conference on Machine Vision (ICMV 11), pp. 83503C–83503C. International Society for Optics and Photonics (2011)Google Scholar
  11. 11.
    Chen, X., Andersen, J., Mao, Z. M., Bailey, M., Nazario, J.: Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In: The 38th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2008, June 24–27, 2008, Anchorage, Alaska, USA, pp. 177–186 (2008)Google Scholar
  12. 12.
    Shields, T.: Anti-debugging–a developers view. Veracode Inc., USA (2010)Google Scholar
  13. 13.
    Qi, Z., Li, B., Lin, Q., Yu, M., Xia, Mingyuan, Guan, Haibing: SPAD: software protection through anti-debugging using hardware-assisted virtualization. J. Inf. Sci. Eng. 28(5), 813–827 (2012)Google Scholar
  14. 14.
    Yi, T., Zong, A., Yu, M., Gao, S., Lin, Q., Yu, P., Ren, Z., Qi, Z.: Anti-debugging framework based on hardware virtualization technology. In: ICRCCS’09 International Conference on Research Challenges in Computer Science, IEEE, pp. 218–220 (2009)Google Scholar
  15. 15.
    Linn, C., Debray, S.K.: Obfuscation of executable code to improve resistance to static disassembly. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS 2003, ACM, Washington, DC, October 27–30, 2003, pp. 290–299Google Scholar
  16. 16.
    Aycock, J., deGraaf, R., Jacobson Jr., M.: Anti-disassembly using cryptographic hash functions. J. Comput. Virol. 2(1), 79–85 (2006)CrossRefGoogle Scholar
  17. 17.
    Krügel, C., Robertson, W.K., Valeur, F., Vigna, G.: Static disassembly of obfuscated binaries. In: Proceedings of the 13th USENIX Security Symposium, August 9–13 2004, San Diego, CA, USA, pp. 255–270 (2004)Google Scholar
  18. 18.
    Ferrie, P.: Attacks on virtual machine emulators. Symantec Adv. Threat Res. (2008)Google Scholar
  19. 19.
    Ferrie, P: Attacks on more virtual machine emulators. Symantec Technol. Exch. 55 (2007)Google Scholar
  20. 20.
    Ormandy, T.: An empirical study into the security exposure to hosts of hostile virtualized environments. 2007. Ce court article de recherche analyse la sécurité de quelques solutions de virtualisation, dont certaines traitées dans mon mémoire. Lauteur analyse la robustesse et la résilience des applications testées (2007)Google Scholar
  21. 21.
    Reuben, J.S.: A survey on virtual machine security, vol. 2, p 36. Helsinki University of Technology. (2007)
  22. 22.
    Danny, Q., Smith, V.: Detecting the presence of virtual machines using the local data table. Offens. Comput. (2006)Google Scholar
  23. 23.
    Lau, B., Svajcer, V.: Measuring virtual machine detection in malware using DSD tracer. J. Comput. Virol. 6(3), 181–195 (2010)CrossRefGoogle Scholar
  24. 24.
    Raffetseder, T., Krügel, C., Kirda, E.: Detecting system emulators. In: Information Security, 10th International Conference, ISC 2007, Valparaíso, Chile, October 9–12, pp. 1–18 (2007)Google Scholar
  25. 25.
    Kang, M.G., Yin, H., Hanna, S., McCamant, S., Song, D.: Emulating emulation-resistant malware. In: Proceedings of the 1st ACM workshop on Virtual machine security, pp. 11–22. ACM (2009)Google Scholar
  26. 26.
    ODea, H.: The Modern Roguemalware with a Face. In: Proceedings of the Virus Bulletin Conference (2009)Google Scholar

Copyright information

© Springer-Verlag France 2017

Authors and Affiliations

  1. 1.Alexandru Ioan Cuza UniversityIasiRomania

Personalised recommendations