Top 13 popular packers used in malware
Malware can wreak havoc on just about any system, and packers help malware stay one step ahead of security software. But what exactly do packers do? How can they be detected? And finally, what are some of the most popular packers used in malware today?
We will answer these questions and more in this article. But first, let’s take a closer look at packers and how they function.
Become a certified reverse engineer!
What is a malware packer?
For many years, packers were used for completely innocent reasons. Often known as a “runtime packer,” this software compresses files and then unpacks itself when a program or file is ready to be executed.
As technology advanced, this kind of file size compression became less of a necessity. Nonetheless, packers are still used today, primarily for malware files.
In essence, a malware packer is a tool used to mask a malicious file. Packers can encrypt, compress or simply change the format of a malware file to make it look like something else entirely. The process of packer compression or encryption takes the file from its original code to a new state using tried-and-true obfuscation techniques.
As a result, malware can remain in a system undetected by antivirus software, anti-malware products and other security software, harming the integrity of your system and the security of your data. This is why it is so important to understand how packers can be used in malware.
However, each packer functions a little differently. You will need to know a little about some of the most popular packers used in malware in order to detect them in your own system.
Top 13 popular packers used in malware
It is important to reiterate that packers are not inherently malicious; they are simply a tool used to make certain malware more effective by being harder to detect.
In order to protect your system from malware and start reverse-engineering the malicious code, you will need to know what kind of packers are most commonly used in malware. Here are the top 13 most popular packers used in malware today.
UPX
UPX is short for the “Ultimate Packer for Executables.” It uses an open-source algorithm that does not require any additional system memory for decompression.
The Enigma Protector
Like most packers, The Enigma Protector is marketed for individuals and businesses who want to protect their files from hacking. Nonetheless, The Enigma Protector is commonly used to obfuscate malware.
MPRESS
MPRESS was originally designed to compress files and decrease application start times. While this free software is extremely useful for regular file compression, it is also easily accessible to hackers and other malware writers.
Exe Packer 2.300
Exe Packer 2.300 is a standard, free software for file compression and decompression. Since it has been around for years, Exe Packer 2.300 is one of the most popular packers for malicious file obfuscation.
ExeStealth
ExeStealth is a tool that encrypts files to avoid detection and hacking. Designed by WebToolMaster, this free software is simple to implement and one of the best anti-hacking tools on the market, which also makes it effective at hiding malware code in your system.
Morphine
Unlike most other packers, Morphine includes its own PE loader, allowing users to encrypt the output of compressed data. The polymorphic engine is also used to create completely unique decryptors for malware.
Themida
Themida was developed by Oreans to protect Windows applications from hackers. Unfortunately, it can also be used to encrypt malicious files and complicate attempts to reverse-engineer malware.
MEW
MEW is primarily used for smaller malware file compression using the LZMA algorithm. Even though it was designed for small files, it has been updated over time so that it can also obfuscate larger malware files.
FSG
The free, simple FSG software compresses both small and large files. While it is popular and commonly used to hide malware code, it is also relatively simple to unpack through a decompression loop that writes the data to the final destination.
PESpin
PESpin compresses Windows code using MASM. It protects files against patching and disassembling, making it a popular resource for malware authors.
Andromeda
While Andromeda refers to a botnet that has been around since 2011, it is also a custom packer. Custom packers are especially dangerous because they are not as simple to reverse-engineer.
VMProtect
VMProtect is very popular, as it can encrypt a wide range of files, including executable files, drivers and dynamic-link libraries. When an application encrypted by VMProtect is opened, the packer does not decrypt anything; instead, it runs on a virtualized code.
Obsidium
Obsidium works for both 32-bit and 64-bit Windows applications. This software is capable of encrypting, compressing, and obfuscating malware.
How to detect malware packers
Since most malware packers make it difficult to find and analyze malicious code, it may be necessary to use a script specifically designed for packer detection. Thankfully, there are a number of packer-detecting tools available. Here are some of the best tools for identifying malware packers:
In addition to identifying packers used in malware, you will also want to find ways to set up a virtual environment and analyze malware behavior. Here is a useful guide for reverse-engineering malware packers.
Conclusion
Packers are not inherently bad. In fact, they are one of many security solutions that can help protect files, data and applications. However, they are also a great resource for malware developers. They obfuscate file code, making it very difficult to locate and analyze malware on your system. Some packers use common algorithms, while others use custom code to compress and/or encrypt files.
In any case, the more you know about popular packers used in malware, the more equipped you will be to identify and unpack malware in your own system.
Become a certified reverse engineer!
Sources
- Windows Executable Packer Detection, Opentext
- PackerID, GitHub
- PEiD, Softpedia
- RDG Packer Detector, RDGsoft
- Exam Pass Guarantee
- Live expert instruction
- Hands-on labs
- CREA exam voucher
In this Series
- Top 13 popular packers used in malware
- How AsyncRAT is escaping security defenses
- Chrome extensions used to steal users' secrets
- Luna ransomware encrypts Windows, Linux and ESXi systems
- Bahamut Android malware and its new features
- LockBit 3.0 ransomware analysis
- AstraLocker releases the ransomware decryptors
- Analysis of Nokoyawa ransomware
- Goodwill ransomware group is propagating unusual demands to get the decryption key
- Dangerous IoT EnemyBot botnet is now attacking other targets
- Fileless malware uses event logger to hide malware
- Nerbian RAT Using COVID-19 templates
- Popular evasion techniques in the malware landscape
- Sunnyday ransomware analysis
- 9 online tools for malware analysis
- Blackguard malware analysis
- Behind Conti: Leaks reveal inner workings of ransomware group
- ZLoader: What it is, how it works and how to prevent it | Malware spotlight [2022 update]
- WhisperGate: A destructive malware to destroy Ukraine computer systems
- Electron Bot Malware is disseminated via Microsoft's Official Store and is capable of controlling social media apps
- SockDetour: the backdoor impacting U.S. defense contractors
- HermeticWiper malware used against Ukraine
- MyloBot 2022: A botnet that only sends extortion emails
- Mars Stealer malware analysis
- How to remove ransomware: Best free decryption tools and resources
- Purple Fox rootkit and how it has been disseminated in the wild
- Deadbolt ransomware: The real weapon against IoT devices
- Log4j - the remote code execution vulnerability that stopped the world
- Rook ransomware analysis
- Modus operandi of BlackByte ransomware
- Emotet malware returns
- Mekotio banker trojan returns with new TTP
- Android malware BrazKing returns
- Malware instrumentation with Frida
- Malware analysis arsenal: Top 15 tools
- Redline stealer malware: Full analysis
- A full analysis of the BlackMatter ransomware
- A full analysis of Horus Eyes RAT
- REvil ransomware: Lessons learned from a major supply chain attack
- Pingback malware: How it works and how to prevent it
- Android malware worm auto-spreads via WhatsApp messages
- Malware analysis: Ragnarok ransomware
- Taidoor malware: what it is, how it works and how to prevent it | malware spotlight
- SUNBURST backdoor malware: What it is, how it works, and how to prevent it | Malware spotlight
- ZHtrap botnet: How it works and how to prevent it
- DearCry ransomware: How it works and how to prevent it
- How criminals are using Windows Background Intelligent Transfer Service
- How the Javali trojan weaponizes Avira antivirus
- HelloKitty: The ransomware affecting CD Projekt Red and Cyberpunk 2077
- DreamBus Botnet: An analysis
- Kobalos malware: A complex Linux threat
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Malware analysis
Malware analysis
Malware analysis
Malware analysis