Statistics from public malware repositories suggest that there are now almost 1M new samples ingested daily. But how many of these samples are truly unique? How much malware is really being produced, and how much is just the result of packing services repeatedly re-packing the same few samples?
Market pressures in the online criminal economy have forced the rapid evolution of dark-market malware packing businesses. These businesses now offer packing-as-a-service, producing freshly packed and undetectable malware with the call of an API. The result has been a steady increase in the volume of malware samples over the past few years, most of which are packed.
To better understand the relationship between these packed samples, dark-market packing services, and individual strains of malware, we built an automated unpacking service capable of scaling to process this influx of new malware. For the past few months we have been running this service across hundreds of thousands of new malware samples and the results are in!
In this talk we present our findings along with a detailed look at modern packing and evasion techniques and the artifacts generated by the automated packing services that employ them. We will also discuss our research into automated unpacking at scale.