Inadvertently Shady

Packer Obfuscation

There have already been several blogs about the common use of third-party runtime packers by malware. These runtime packers are wrappers around files which make them look different on disk but allow them to ostensibly execute without change. Malware authors use these packers to simply obfuscate their code, thus attempting to elude detection, rather than to compress their executables to save bandwidth or disk space. Malware authors also use script packers to obfuscate certain objects embedded within HTML.

So we know why malware authors use packers. What one must question is the reason why some producers of legitimate software use identical packing techniques used by malware authors. One would assume that there are two possible reasons for clean applications to use packers:

  1. Protect the code from being reverse-engineered.
  2. Compress the file to save space.

If the reason is the first one then it is important to know that there are ways and means to circumvent protection mechanisms using a variety of tools including disassemblers and debuggers. If the reason is the second one then why would anybody look any further than using standard compressors such as UPX, ASPack or PECompact? In terms of obfuscation of script objects there appears to be even less of an obvious rationale. Surely one would only hide one’s code if there were something to hide. Perhaps something caddish.

It is for these reasons that the presence of any packing layer around a file or script object immediately raises the level of suspicion associated with them. Let us take a human example. At the check-in counter at an airport, the ground staff may well scrutinise more closely a person wearing large dark glasses, a hat and a heavy overcoat than a person whose features are clearly visible. I recall seeing a sign at a check-in desk at Sydney airport that stated in no uncertain terms “We take jokes seriously!”. In a similar manner we at SophosLabs take software security very seriously.

Our advice is simple:

  • If there is no obvious reason to pack your code please do not do it.
  • If you do need to use a packer try the common, well-known ones like UPX.

Furthermore it is recommended that you specify valid and adequate “passport information”, eg CompanyName, etc, in the properties section of the application as an additional proof of legitimacy.

By following the advise above you will be contributing to the fight against the bad guys by allowing us to execute aggressive detection strategies for a safe and secure future.

Many thanks in advance from all of us at SophosLabs.

* the source of the rather apt image is