We shipped a new version of our component avsbx.dll last week. avsbx contains our generic unpacking routines. With the new version we improve our generic unpacking and can detect a significant increased amount of malware. Our developers also managed to improve the speed of avsbx.
Generic unpacking is necessary because many (malware) executables are compressed using runtime packers. From the programmers point of view runtime compression has two advantages: The executables are smaller in size so there is less to download. Also, it is harder to analyse the software as the program code is obfuscated – sometimes even crypted – this way.
For many known runtime packers like the well known UPX we have static unpackers. These either use the available specifications of the format to unpack the binary, or more often we have to reverse engineer the compression format.
But the malware authors try to get around this by modifying existing packers or developing new ones. These binaries have to be unpacked with generic routines.
An unpacked executable can be further analysed with heuristic, generic and static detection routines. So improving the generic unpacking helps to improve the detection capabilities of our software.