An Introduction to Packers

Packing technology is really just compression. You know, ZIP, CAB, RAR, and so on. There are many types of packers and some people even write their own. The way a packer compresses the file is called an algorithm. There are many different algorithms and unless you know what one was used, or have a tool to unpack the file you will not be able to use the file.

A simplistic explanation of packers, or compression (same thing) is that symbols are used to represent repeated patterns.

Take the following sentence:

The monkey does not know he is a monkey, he thinks that you are the monkey.

What if we replace the word “monkey” with “%”?

The % does not know he is a %, he thinks that you are the %.

The sentence has fewer characters, but unless you know our “algorithm” you won’t know what the sentence means.

How about “The * does not know he is a *, he thinks that you are the *.”

Since I have not told you what the “*” replaces you don’t know if now I am talking about cats, pigs, aliens, or what.

If I live in a place where I am not allowed to say the word “Freedom”, this technique allows me to effectively say the word “Freedom” to anyone who understands the algorithm, but the authorities will not see the word if they scan my emails.

A packed file can contain malware and unless your anti-virus product knows how to unpack the file the malware will not be detected. On the bright side, if the malware is packed it cannot infect your computer. That would seem to be the end of the story, except that we have something called run-time packers. Here is how they work. The packed file is an executable (program) that is only partially packed. A tiny bit of the program is not packed. The beginning of the program is not packed so, when you run the packed executable it starts unpacking the rest of the file. The un-packer tool is built right in.

Runtime packers are used by malware authors because it makes it much harder to detect the malware. One of the strengths of the type of heuristics that ESET, and some other vendors, use is that we create a virtual computer in the scanning engine and run the program. This can force a run-time packed program to unpack itself, saving us the trouble of needing to know the algorithm.

There’s always a catch though… a crafty programmer can make the program detect it is running in a virtual environment and then the program may not unpack itself or may only unpack harmless parts of itself to fool the virus scanning program.

There is another approach to dealing with the problem. Some companies pretend like they detect malware when they actually simply detect anything that is packed with specific types of packers. This makes them score better on tests that are not well constructed. We have encountered very few packing technologies that are ONLY used for bad software. This means that good software that is packed is detected as infected by those companies who only detect the packer. These are false positives.

Another approach is to combine recognition of packers with more sensitive behavioral detection as simply being packed with some programs makes the file very, very suspicious. Many of the threats we see are packed with a program called “Themida”. The program itself is often used for copy protecting software, but it was a difficult packer to reverse engineer. The malware writers knew this so they started using the technology extensively. Themida is an example of a runtime packer.

The key thing about packers is that in addition to making files smaller, they also break traditional signatures, so a heuristic approach is required in order to detect the packed files without creating false positive on legitimate software.

If you have any questions on this topic, or other security topics, feel free to email askeset@eset.com. The address is not for technical support however.

Randy Abrams
Director of Technical Education

Author ESET Research, ESET

  • otoman

    i love this blog and topic. if you go little bit deeper and technical it wll be mind blowing. Plz keep posting.
    Thank you very much
    Otoman

  • Don

    why doesnt nod32 use runtime packer protection as default. should i activate it and how will it adversely affect my system?

    • Randy Abrams

      Personally I enable runtime packer protection. The impact is that it slows the system down a bit when scanning a runtime packed file. It takes cpu cycles to do the unpacking on the fly. Try enabling it. If you don’t notice a difference or the difference is acceptable then you’ve increased your security. There’s always a trade of between security and usability and yo’ll have to decide for yourself if the cost is reaonable.

  • Don

    i am using version 4

  • gettox

    Nice! but look that at  the end, this still meaning that we'll be suspecting in any message that our anti-virus tell us when a run-time packer is running or is unpacking, so gonna be a bother for the users in some way, but thanks so much for the explanation Mr Abrams.

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

26 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.