What's a packer and why are they used?

Today we demonstrate what a packer is, why it might be used, and a simple way to unpack the example given. Watch the analysis video for details. There are numerous packers on the market. Some work better than others, some provide more compression while others offer higher levels of protection. Either way, packers can be used for good and evil and they are certainly an interesting security topic.

Video

Understanding Binary Packers and How to Analyze Them During Malware Analysis

Binary packers are software tools used to compress and encrypt executable files. They are often used by malware authors to obfuscate their code and make it difficult for antivirus software to detect the malware. As a result, analyzing binary packers is an important aspect of malware analysis. In this blog post, we'll provide an overview of binary packers and discuss some techniques for analyzing them.

What Are Binary Packers?

Binary packers are software tools that are used to compress and encrypt executable files. They are typically used to reduce the size of the executable file and to protect the code from reverse engineering. By compressing the executable file, binary packers make it more difficult to detect malware with traditional signature-based antivirus software. Additionally, by encrypting the executable file, binary packers make it more difficult for researchers to analyze the code.

How Are Binary Packers Used in Malware?

Malware authors use binary packers to obfuscate their code and evade detection by antivirus software. By using binary packers, malware authors can create polymorphic malware that looks different each time it is executed. This makes it more difficult for signature-based antivirus software to detect the malware.

How to Analyze Binary Packers

There are several techniques that can be used to analyze binary packers during malware analysis. Some of these techniques include:

1. Static Analysis

Static analysis involves examining the executable file without executing it. By using static analysis tools, you can examine the compressed and encrypted sections of the executable file to determine if it contains malware. Additionally, you can use static analysis to identify the type of packer that was used and to determine if there are any known vulnerabilities that can be used to bypass the packer.

2. Dynamic Analysis

Dynamic analysis involves executing the malware in a controlled environment and observing its behavior. By using a debugger, you can step through the code and examine the decrypted sections of the executable file. Additionally, you can use dynamic analysis to identify any network connections made by the malware and to determine if the malware is communicating with a command-and-control server.

3. Unpacking the Binary

Unpacking the binary involves extracting the compressed and encrypted sections of the executable file. This can be done by using a tool that is designed to unpack the specific type of binary packer that was used. Once the binary has been unpacked, it can be analyzed using static and dynamic analysis techniques.

Conclusion

Binary packers are an important aspect of malware analysis, as they are often used by malware authors to obfuscate their code and evade detection by antivirus software. By using a combination of static and dynamic analysis techniques, as well as unpacking the binary, researchers can gain a better understanding of the malware and its behavior. As always, it's important to conduct all malware analysis in a controlled and secure environment to prevent the malware from spreading to other systems.