Gone are the days of the Passive Packer

Packers have traditionally been employed to reduce executable footprints by compressing the executable. They have evolved since, to prevent patching and reverse engineering of the underlying application by integrating encryption, obfuscation and anti-debugging technology but never have they carried their own payloads.

A new batch of samples has recently been observed here in SophosLabs that exhibit traditional packer related features, such as encryption, compression and obfuscation and more. This hybrid packer has built-in functionality to modify personal firewall rules to allow the host program (once unpacked) to gain unauthorised network access.

This method of attack has traditionally been the realm of custom built Trojans and network worms, which makes us believe this new development indicates the Packer itself will be used, and can only be used, for malicious purposes.

The distinction between wrapper and content has now become as muddied as a winter football field and may justify many security professionals’ paranoia with packed files.

Posted on May 30th, 2007 by Pete, SophosLabs AU
Filed under: Malware

Free virus scan - Download the Sophos Threat Detection Test

About SophosLabs

SophosLabs protects businesses from known and emerging malware - viruses, rootkits and spyware - and other computer threats like phishing, spam and scams. Learn more about the people who write this blog.

RSS feed

Hot video

International Kill-A-Zombie Day

SophosLabs blog