Packers - O-LavenderAshburn/Knowledgebase_MalwareAnalysis GitHub Wiki

What Are Malware Packers

Packers are software that hides malicious code by means of obfucation, encryption/encdoing and/or compression. Packers themselves arnt deleverd to the victum machine but are used on the malicous executable. For packed malicoious code to be executed, the malware must first 'unpack' the malware (deobfucation, decryption and/or decompression.

Why They Are Used

Malware packers are used as detection evation, and security evation. Packed malware has a different hash fingerprint to the unpack malicous code this makes the malware hard to identify it by hash idnetification. Malware packers are aslo harder to perform static analysis on due to the encryption and/or compression.

  1. Obfuscation – Malware code is modified to make it difficult to understand or analyze, while still maintaining its functionality. This could involve renaming functions, variables, or sections of code to make static analysis more challenging such as unused extra code.

  2. Encryption – The malicious payload is encrypted, and only after the malware has been unpacked and decrypted can the payload be executed.

  3. Encoding – Malicious code is transformed into a different format (such as Base64 or custom encoding) so that automated detection tools or human analysts cannot easily recognize it.

  4. Compression – Malware is compressed to reduce its size, often making it more difficult to detect due to changes in its structure. Commonly used compression methods can also hide the malware’s true content from detection software.

Common Malware Packers

Packers such as UPX, Zip and FSG are some common packer but packer are not limited to these ones. Adversaries can also create custom packers that are harder to detect by software such as PEiD. This can make analysis harder.