Skip to Main Content

IEEE Proposes Taggant System to Trap Malware Creators

When a bomb explodes, taggants help the FBI track down the creator. Software taggants in packer tools will help security companies in much the same way.

August 3, 2011

When the FBI investigates a suspicious explosion, its lab experts can often determine the source of the explosive by checking for specific taggants—chemical additions to the explosive substance. Today at the Black Hat conference in Las Vegas researchers from major security companies announced an initiative by the IEEE that proposes using a similar technique to identify certain malware creators.

The big problem with identifying modern malware is that any given threat may come in thousands of slightly different forms. One way the malware creators produce this plethora of polymorphic problems involves using "packers," or tools designed to compress applications into smaller packages. They have other valid uses, including hindering reverse-engineering and protecting interpreted code. But malware creators misuse this tool for their own ends.

Mark Kennedy, chair of the IEEE's Industry Connections Security Group (ICSG), and Igor Muttik, vice chair of the ICSG, jointly presented a proposed solution. Outside of IEEE, Igor Muttik is senior architect with , and Mark Kennedy is a distinguished engineer in security technology and response with .

The group proposes that all packer vendors include a tiny free code library that will uniquely identify a packed file's origin and validate its integrity using a digital signature. Security vendors would be able to read and verify this tag. Any packed file lacking the tag would be considered highly suspect.

"We think the IEEE Software Taggant System will drive malware developers away from compliant packers, which would both improve our chances of catching rogue operators and allow antivirus software to more efficiently process legitimate executable files created by packer software," Kennedy explained.

At present all packed files are considered slightly suspicious; the taggant system would benefit packer vendors by eliminating this taint from verified packed files. Security vendors benefit by avoiding false positives and more clearly identifying malicious packed files. And users benefit by heightened security.

The taggant system doesn't yet exist, but the IEEE has issued a request for proposals and an initial implementation is planned for November 2011. You won't notice anything different; the activity is all well below the level a user can see. But this simple proposal should help the good guys in their fight against malware creators. The ICSG hopes to end the problem of packed malware within two to three years.