PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

IEEE Proposes Taggant System to Trap Malware Creators

Neil J. Rubenking
 & Neil J. Rubenking Principal Writer, Security

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS

When the FBI investigates a suspicious explosion, its lab experts can often determine the source of the explosive by checking for specific taggants—chemical additions to the explosive substance. Today at the Black Hat conference in Las Vegas researchers from major security companies announced an initiative by the IEEE that proposes using a similar technique to identify certain malware creators.

The big problem with identifying modern malware is that any given threat may come in thousands of slightly different forms. One way the malware creators produce this plethora of polymorphic problems involves using "packers," or tools designed to compress applications into smaller packages. They have other valid uses, including hindering reverse-engineering and protecting interpreted code. But malware creators misuse this tool for their own ends.

Mark Kennedy, chair of the IEEE's Industry Connections Security Group (ICSG), and Igor Muttik, vice chair of the ICSG, jointly presented a proposed solution. Outside of IEEE, Igor Muttik is senior architect with McAfee, and Mark Kennedy is a distinguished engineer in security technology and response with Symantec.

The group proposes that all packer vendors include a tiny free code library that will uniquely identify a packed file's origin and validate its integrity using a digital signature. Security vendors would be able to read and verify this tag. Any packed file lacking the tag would be considered highly suspect.

Recommended by Our Editors

Wikipedia Editors Could Strike Following Layoffs
Wikipedia Editors Could Strike Following Layoffs
Blue Origin’s New Glenn Rocket Explodes Spectacularly During Ground Test
Blue Origin’s New Glenn Rocket Explodes Spectacularly During Ground Test
Google Engineer Charged for Using Insider Info to Win $1.2M on Polymarket Bets
Google Engineer Charged for Using Insider Info to Win $1.2M on Polymarket Bets

"We think the IEEE Software Taggant System will drive malware developers away from compliant packers, which would both improve our chances of catching rogue operators and allow antivirus software to more efficiently process legitimate executable files created by packer software," Kennedy explained.

At present all packed files are considered slightly suspicious; the taggant system would benefit packer vendors by eliminating this taint from verified packed files. Security vendors benefit by avoiding false positives and more clearly identifying malicious packed files. And users benefit by heightened security.

The taggant system doesn't yet exist, but the IEEE has issued a request for proposals and an initial implementation is planned for November 2011. You won't notice anything different; the activity is all well below the level a user can see. But this simple proposal should help the good guys in their fight against malware creators. The ICSG hopes to end the problem of packed malware within two to three years.

About Our Expert

Neil J. Rubenking

Neil J. Rubenking

Principal Writer, Security

My Experience

When the IBM PC was new, I served as the president of the San Francisco PC User Group for three years. That’s how I met PCMag’s editorial team, who brought me on board in 1986. In the years since that fateful meeting, I’ve become PCMag’s expert on security, privacy, and identity protection, putting antivirus tools, security suites, and all kinds of security software through their paces.

Before my current security gig, I supplied PCMag readers with tips and solutions on using popular applications, operating systems, and programming languages in my "User to User" and "Ask Neil" columns, which began in 1990 and ran for almost 20 years. Along the way, I wrote more than 40 utility articles, as well as Delphi Programming for Dummies and six other books covering DOS, Windows, and programming. I also reviewed thousands of products of all kinds, ranging from early Sierra Online adventure games to AOL’s precursor Q-Link.

In the early 2000s, I turned my focus to security and the growing antivirus industry. After years of working with antivirus, I’m known throughout the security industry as an expert on evaluating antivirus tools. I serve as an advisory board member for the Anti-Malware Testing Standards Organization (AMTSO), an international nonprofit group dedicated to coordinating and improving testing of anti-malware solutions.

The Technology I Use

Much of the testing I do, particularly testing with real-world ransomware, is just plain dangerous. To perform such tests safely, I sequester them inside virtual machines managed by VMWare Workstation. For cross-platform testing, I use a MacBook Air, a Google Pixel 4, and a 6th-generation iPad.

I rely on my Delphi coding skills to create and maintain small applications. These include programs to check whether an antivirus correctly handled the malware it detected, launch dangerous URLs and record the security program’s reaction, and analyze the malware that I collect for use in testing. I also wrote a tiny browser and text editor for use in testing security apps that have predefined reactions for known products.

I do my writing and research on a Dell OptiPlex desktop, relying on Microsoft Word (my fingers know all the shortcuts). Many of my articles include charts and analysis; Excel is my go-to for those. When work hours end, though, I escape the bounds of Microsoft and Windows. There’s an iPhone in my pocket, I relax with my oversized iPad, and my Kindle Oasis is always loaded with the best science fiction and fantasy.

Read the latest from Neil J. Rubenking

Read full bio