Any researcher working in today’s malware battleground has no doubt come across the scores of packed malware distributed on the Internet. By packing or compressing their code, malware authors hope to escape detection from the signature-matching methods used by most anti-virus software. It has become so prevalent that over 92 percent of the malware on the 2006 WildList has been identified as packed. Packing is made easy thanks to the availability of dozens of different packers. In addition, open source packers exist, making it possible to modify and create new packer variations with little effort.
A presentation given by Brosch and Morgenstern at the Black Hat 2006 conference nicely illustrates the problems caused by packers. They have performed tests using some of the more popular anti-virus scanners and have found that scanning time can increase by a factor of 1.5 to 10 when given a packed file and detection rates decrease to as little as 39 percent.
How It Works
Packers work by compressing the original executable and then amending it with a short code segment responsible for decompressing the executable when it is run. Thus, launching the packed program causes the unpacker code to run. After unpacking the program, the unpacker code transfers control to the original code. All of this is bundled together within a single program, eliminating the need to include a separate unpacking program with the malware sample.
The Dynamic Unpacker decompresses packed code by monitoring the program while it runs in a virtual machine and observing all memory accesses. The Dynamic Unpacker detects when a transfer of control to an area of previously written memory occurs. When this happens, the original entry point of the program has been discovered and the program is now unpacked. At this point, an image of the unpacked executable resides in memory. In effect, the Dynamic Unpacker allows the packed program to unpack itself. The in-memory image is then dumped to a file, giving us access to the unpacked code.