Anti-Virus vs. Commercial Packers

In the beginning, there was malware.

Naturally, this was followed fairly rapidly by the development of anti-virus software. The war has raged back and forth ever since.

During the course of this struggle, a new player entered the picture; the commercial software protector (aka packer). This development was in response to piracy of commercial applications, but it had unforeseen circumstances on the anti-virus community.

Suddenly, malware authors were able to use these protectors to shield their malware from detection. The reason this worked is because that is exactly what the protectors were designed for: to make it difficult to analyze, and therefore pirate, software. In response to the upsurge of packers, anti-virus products started to try and automate the analysis of these files, also referred to as unpacking. This allows anti-virus software once again to see the original file inside and analyze it on its own merit.

With the release of Sophos Anti-Virus 7.0 the landscape has changed once again. With the inclusion of identities including Sus/Compack we are able to classify commercially packed software appropriately, providing the customer with reports of files that have significant effort put into obfuscating their contents. Armed with this knowledge the customer can then choose if these files on their system have indeed come from a trusted source such as a commercial software vendor, or if they are suspicious files that should be sent to SophosLabs for analysis.

In the past week I have seen several different submissions that we have been the first to detect because of these new Sus/ identities. Once we receive these samples we are then able to write more specific detection to enhance clarity for the customer. Seeing these sorts of reports leads me to believe that we are definitely on the right track.