1

I'm working in a large SOC and my manager has tasked me with finding some way to provide coverage for Themida packed malware samples.

As alluring as it is to suggest just blacklisting all Themida packed software and calling it a day, I would like to do my due diligence before I take that approach.

I noticed that Themida claims to digitally watermark their executables to protect against piracy, and copies of the software are available for torrent on many pirate sites. I was wondering whether the software left the watermark on the packed executables, and whether the pirated software leaves a watermark on the packed binaries that could be signed against.

I know that this is a thing based off of the answer to this post: How common are virtualized packers in the wild?, but the person who answered provided sources for all of his other claims besides this one.

solumnant
  • 173
  • 1
  • 13

1 Answers1

2

From Oreans KB:

The Taggant System is a cryptographic signature added to a software to fight against antivirus false positives in protected applications. The Taggant information in your Themida/WinLicense license contains an internal ID and your private key to insert and sign the protected binary with your Taggant information, so antivirus companies can detect that the application is protected by a trusted customer and not report it as false positive. Notice that if a license is leaked and used to protect malware/virus, antivirus companies will blacklist that Taggant signature and anything protected with that license will be marked as virus/malware.

More information about the IEEE Software Taggant System:

Please, notice that we are expecting that antivirus companies will enable the Taggant System into their products as soon as possible, but it might take some time till the Taggant System is fully ready in all antiviruses companies.

When you enable the “Taggant Information” option you will require internet connection in protection time to compute your Taggant information and be able to insert it inside the protected binary (it connects to “http://taggant-tsa.ieee.org/”). If no internet connection is available in protection time, your application will be protected normally, but it won’t contain any Taggant information.

So supposedly the legit binaries should have a valid tag signed with a non-blacklisted certificate. See the links for more details. There is some code on Github too.

EDIT apparently the taggant servers were shut down in 2018 so probably this can't be used for real-time checks anymore but maybe you can still detect bad files if tags are added by the leaked versions...

Igor Skochinsky
  • 36,553
  • 7
  • 65
  • 115
  • Taggants are dead to to lack of industry uptake, the IEEE page describing taggants has had the details section scrubbed: http://vmpsoft.com/20180505/ieee-amss-taggant-system-will-shut-down-on-31-july-2018/ https://standards.ieee.org/industry-connections/icsg/amss.html – solumnant May 02 '19 at 19:03
  • I think the best way to go would be to just block Themida packed PE files, taggents are only present if they are enabled by the packer at packing time and the packer is connected to the internet. I don't believe that the environment around taggents was ever mature enough to be supported by any library. – solumnant May 16 '19 at 16:46