Select Page

As is well known, malware authors routinely use packers (aka “protectors) to disguise their files (as well as decrease their file size).

A number of AV products simply blacklist anything that’s packed, thus not having to bother with emulating the executable and finding out what’s really inside. (Like many AV companies, we do this for some obvious malware packers ourselves, but it has to be done with an extensive in-house whitelist to verify that you’re not going to get false positives.)

Just as a curious experiment, I recently packed notepad.exe into a variety of packer formats and submitted them to VirusTotal. (I’m not the first to do this exercise, either — a similar exercise was by shown by VirusBuster at CARO in May.)

This is a miniscule sample, but it allows you to see the various levels of aggressiveness on detecting packers by AV engines. It also shows why some engines have incredibly high detection rates on VirusTotal.

Notepad.exe packed with MEW (packing with FSG will likely show similar results as well).

Notepad.exe packed with UPX (UPX is the most common packer, used for many legitimate applications — it’s a very dangerous packer to blacklist, since false positives will be through the roof.)

Notepad.exe packed with PEspin

Notepad.exe packed with PECompact

In the end, blacklisting packers is going to be old news, because malware authors have changed and are now doing all kinds of exotic custom packing –– and in many cases, not packing at all.

Alex Eckelberry