Code Packers and Malware Detection

Why are there code packers?

  • Smaller executables.
  • Code obfuscation. Resist reverse engineering or hide from virus detection scanners.

Code obfuscation is a challenge. The resulting obfuscated code must still be interpretable by machines. Code obfuscation makes it difficult for persons to interpret.

Examples

  • UPX. A widely accepted compression product, generally trusted. Easily unpacked, designed to be unpacked, not designed to resist reverse engineering, but designed to be extensible. Malware will generally pack code multiple times using multiple packers. As a result, what at first appears to be UPX can also use a custom packer to hide malware; see Malware packer integrates with UPX or Relations between spammed malware.
  • ASPack / AsProtect. Commercial compression and obfuscation (anti-reverse engineering) product.
  • SoftwarePassportTM (formerly Armadillo). Commercial compression, license tracking, piracy resistance and obfuscation (anti-reverse engineering) product.
  • NeoLite from NeoWorx. Commercial compression product.
  • PECompact. Commercial compression product.
  • PKLite
  • Petite
  • PolyCrypt PE
  • Shrinker
  • VBox
  • WWPack
  • Celsius Crypt PE 4 Black Graphics (indicates malware)
  • K! Cryptor 0.11 (indicates malware)
  • Daemon Crypt V2 Public (indicates malware)
  • Crum Polymorphic Packer (indicates malware)
  • many more

UPX is the predominant packer for non-malware and malware. Malware packers will be detected only after they have been unpacked from UPX.

Malware detection based upon the packer found would be possible if reserve engineering proceeded sufficiently to detect a packer that was exclusively used by malware. That would be sufficient to determine that the code is untrustworthy; in general you don’t need to know exactly what the code does.

Advertisements

Comments are closed.