IEEE Software Taggant System: Anti-False Antivirus Protection
In this post I want to talk about the IEEE Software Taggant system, which was developed by the IEEE working group on malware in collaboration with leading information security companies.
The Guardant development team’s plans have long included adding IEEE Software Taggant support to the Guardant Armor protector, and finally we did it. A brief overview of the system and practical conclusions in front of you.
Why is an antivirus panicking?
There is no user who does not encounter the problem of false antivirus triggering. The reaction of an ordinary person most often comes down to deleting a “suspicious” file, which is often not only not harmful, but rather useful and sometimes valuable. In turn, programmers, knowing about such jokes, can fall into irritation close to stress. Neither one nor the other contributes to effective work.
Often such triggers occur on files protected by various protectors. The thing is that modern protectors make heavy use of code obfuscation. By obfuscation, I mean mutation and code virtualization technologies, as well as their combination. Obfuscation is used to make it difficult to analyze source code for a certain number of methods and tools. It is the obfuscated sections of code that panic the heuristic antivirus analyzer.
A few years ago, a real battle broke out between antivirus companies and protectors. Losing, antiviruses decided to ban all packers that are not used in commercial and widespread software. Then even several well-known packers were banned. Over time, the situation returned to normal, but there is still no complete solution to the problem.
The constant development of code obfuscation technologies, the replacement of the original code with pseudo-code, executed during the operation of a protected application, seriously complicated the analysis and affected the performance when scanning protected files with antivirus. The wide variety of protectors used for both legitimate and malicious purposes creates problems for the antivirus industry. A serious security risk is the authors' use of malicious code (trojans, viruses, etc.) of protectors to hide their code from detection. This technique has also been applied on the server side (server polymorphism), as a result of which it has become much more difficult to detect and counter threats from malicious code. Antiviruses are not able to determine
Control the distribution of protected files
Heuristic analysis was invented by antivirus companies to detect new threats and is partly necessary for them to collect suspicious files. The probability of false positives in our case is much greater, therefore, antiviruses maintain a “white” list of signatures for commercial packers. This partly helps to improve the situation, but it still leaves the opportunity for antiviruses to feel "with impunity." Like "gods" playing dice, they are able to give out a harmless file for a virus. To justify their existence, antiviruses are forced to complicate the analysis and come up with additional control schemes. For protectors, they decided to implement a system of complete control over the distribution of protected files. The system allows you to block only files from unreliable publishers of protected software and show loyalty to files from trusted sources.
Antivirus intensively use digital signatures to authenticate a file. Validated by reputable organizations, digital signatures provide a reliable way to track the source of a file. Such organizations are unlikely to sign malicious code with their certificate. But not always a digital signature is enough. There are known cases of infection when the file contained a valid digital signature, because the virus was introduced at the compilation stage of the program. However, the responsibility for applying the digital signature lies with the tread user, and a high level of trust is required for the publisher of the certificate.
In 2010, the IEEE Malware Working Group began discussing how to develop a system - now called the IEEE Software Taggant - to help identify a specific tread user. The term "taggant" is borrowed from the system used for explosives, in which a chemical marker is added that can be traced to, or even after, an explosion. The IEEE Software Taggant System embeds a cryptographic token in the output executable file created by any protector installation. This allows identification of the unique tread license that was used to protect the file.
The IEEE Software Taggant was preceded by the practice of using watermarks. Watermarks contain encrypted license information. The most responsible tread developers include two sets of watermarks in an executable file. One to identify the tread, the second to uniquely identify the license. Nevertheless, there is no single standard for the use of “watermarks”, and each developer of the tread is free to act.
According to the developers of the system, the introduction of the new term “taggant” is ambiguous. On the one hand, this eliminates the use of the terms “watermark” and certificate, on the other hand, the IEEE Software Taggant system includes the characteristics of both of these tools, although it is very different in its scope and performance.
IEEE Software Taggant is effective only if it is used simultaneously with a tread and antivirus. The system uses the public key infrastructure (PKI), while the root and trusted centers control IEEE. If you are a tread vendor, you need to register with IEEE to generate Software Taggant licenses. The license must be transparent to tread users and integrated into the installer before selling.
Before releasing a new tread, vendors are advised to protect a representative sample of 10-20 files with various protection parameters and put it on public display. Antiviruses, in turn, must make sure that there are no false positives from the heuristic analyzer. The reputation of the file with the Software Taggant marker should be higher than that of the file without it.
When a protected malware with the Software Taggant marker is detected, the license with which the malware was protected becomes a candidate for blacklisting. The community recommends that antiviruses quickly share information to create a complete list of blocked licenses.
How is Software Taggant different from a regular Authenticode digital signature on Microsoft Windows?
The IEEE Software Taggant system allows hash calculations for small critical sections of the program to minimize software integrity verification time (Authenticode always spans the entire file, so the verification time depends on the file size). This is important for antiviruses, as it allows them to work in quick scan mode. Another interesting thing is that if you have an Internet connection, a trusted time marker for creating a marker (according to RFC 3161) is added, which allows antiviruses to selectively add to the blacklist (block software only after a certain moment of compromise).
For the PE format, there is an analogy with the digital signature of Windows. The Taggant structure is written to the end of the PE file as an overlay. If the original overlay is present in the file, then the structure is written after it. To calculate the hash sum, the SHA2-256 algorithm is used. The easiest way to add Taggant to a PE file is to use a utility with the familiar name SignTool.
> SignTool.exe SimpleTest-x86.exe license.pem
SignTool Application (adds Taggant v2 to files)
SPV Taggant Library version 2
License file is valid, expiration date is Sat Apr 03 23:59:59 2027
File hashes computed successfully
Timestamp successfully placed
Prepare the taggant
Taggant successfully created
Taggant is written to file
Microsoft digital signature does not conflict with Taggant, because is added after the taggant structure and covers the entire file, including taggant.
The IEEE Software Taggant system was developed as a specialized and universal solution for antiviruses and protectors, which is undoubtedly an indisputable advantage over other methods of file authentication. Antiviruses receive:
- The ability to identify the specific license used to generate malware. This allows you to blacklist individual licenses without blocking the entire tread.
- the ability to quickly identify the version and license of the packer, which are used in a clearly defined safe mode, without the need to unzip files. This should improve performance when scanning files.
- the ability to identify modified versions of files. Such files can be blacklisted.
- the ability to track license history to enhance the reputation of a particular tread user.
All of these features should reduce the risk of false positives and increase productivity when scanning protected files.
We hoped to reduce false positives for antiviruses, because the system appeared a long time ago. But alas, the miracle did not happen. First, look at the results of VirusTotal:
Protected file without Taggant:
Protected file with Taggant:
Protected file with Taggant and Microsoft signature:
Little-known antiviruses do not react to the presence of Taggant signatures, they react more precisely, but vice versa. For them, the Microsoft signature is still an important argument.
Kaspersky Endpoint Security also upset us. It quarantines the file regardless of whether it has a Taggant signature or a Microsoft signature. As before, only disabling the heuristic analyzer helps. In this case, a scan for VirusTotal by Kaspersky Anti-Virus says that the file is clean.
Apparently, not all antiviruses are in a hurry to integrate Taggant support into their engines. The IEEE bureaucracy is also a concern. Correspondence with this organization took us a huge amount of time. For a simple developer, getting into the white lists of legal software distributors may be more difficult than using the Microsoft digital signature mechanism. Nevertheless, Taggant is a worthy alternative to watermarks, and we hope that the system will be gradually implemented. In the meantime, Microsoft's signature is a more powerful argument for antiviruses.