Gone are the days of the Passive Packer

Packers have traditionally been employed to reduce executable footprints by compressing the executable. They have evolved since, to prevent patching and reverse engineering of the underlying application by integrating encryption, obfuscation and anti-debugging technology but never have they carried their own payloads.

A new batch of samples has recently been observed here in SophosLabs that exhibit traditional packer related features, such as encryption, compression and obfuscation and more. This hybrid packer has built-in functionality to modify personal firewall rules to allow the host program (once unpacked) to gain unauthorised network access.

This method of attack has traditionally been the realm of custom built Trojans and network worms, which makes us believe this new development indicates the Packer itself will be used, and can only be used, for malicious purposes.

The distinction between wrapper and content has now become as muddied as a winter football field and may justify many security professionals’ paranoia with packed files.